The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law on 21st August 1996 as an Act to “improve the portability and accountability of health insurance coverage” for employees between jobs, and to combat waste, fraud and abuse in health insurance and healthcare delivery. The Act also contained passages to promote the use of medical savings accounts by introducing tax breaks, provide coverage for employees with pre-existing medical conditions and simplify the administration of health insurance.

Once HIPAA had been signed into law, the US Department of Health and Human Services set about creating the first HIPAA Privacy and Security Rules. The Privacy Rule had an effective compliance date of April 14, 2003 and defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”. The full list of personal identifiers that are “linked to an individual” - and are classed as Protected Health Information - can be found in our next chapter dedicated to the HIPAA Privacy Rule.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities", “Business Associates” and third-party service providers who may encounter patient healthcare data or payment information.

What constitutes “PHI” is broadly regarded to be any part of an individual´s medical records or payment history and, in order to provide a more comprehensive definition of “PHI” for those who have a responsibility to protect it, we have dedicated an entire section to “What is PHI?” below.

A covered entity is an individual or organization that maintains patient healthcare or payment information. This is likely to include healthcare providers, health plans and healthcare clearinghouses; although some exceptions exist to this generalization.

The Privacy Rule requires covered entities to notify individuals about how their PHI will be used. Covered entities must also keep track of disclosures of PHI and document all privacy policies and procedures. They must appoint a privacy officer and a contact person responsible for receiving complaints and training all members of their workforce about the policies and procedures regarding PHI. They must address when PHI can be disclosed, to whom, and under what specific circumstances.

What is PHI?

As mentioned above, PHI stands for Protected Health Information and is defined as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”. But what is this “information” and who does it apply to?

HIPAA regulations list eighteen different personal identifiers which, when linked together, are classed as Protected Health Information. These eighteen personal identifiers are:

·        Names

·        All geographical data smaller than a state

·        Dates (other than year) directly related to an individual

·        Telephone numbers

·        Fax numbers

·        Email addresses

·        Social Security numbers

·        Medical record numbers

·        Health insurance plan beneficiary numbers

·        Account numbers

·        Certificate/license numbers

·        Vehicle identifiers and serial numbers including license plates

·        Device identifiers and serial numbers

·        Web URLs

·        Internet protocol (IP) addresses

·        Biometric identifiers (i.e. retinal scan, fingerprints, Etc.)

·        Full face photos and comparable images

·        Any unique identifying number, characteristic or code

Who Has a Responsibility to Protect PHI?

Persons with a responsibility to protect PHI and comply with the HIPAA Privacy Rule fall into three main categories - “Covered Entities”, “Business Associates” and “Subcontractors”.

Covered entities are the individuals, institutions or organizations that maintain patient healthcare or payment information or would reasonably be expected to encounter PHI in the course of their daily duties - mostly, healthcare providers, health plans and healthcare clearinghouses. Examples of covered entities include:

·        Healthcare Providers - Healthcare providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or receives payment for the provision of healthcare services.

·        Health Plans - Individual and group health plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+ Choice and Medicare supplement insurers and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include some employer-sponsored group health plans, government and church- sponsored health plans and multi-employer health plans.

·        Healthcare Clearinghouses - Healthcare clearinghouses include billing services, repricing companies, community health management information systems and value-added networks that perform clearinghouse functions; such as processing non-standard information they receive from another entity into a standard, or vice versa.

In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a Business Associate. In such instances, only certain provisions of the Privacy Rule are applicable to healthcare clearinghouses’ uses and disclosures of Protected Health Information.

·        Business Associates – Business Associates are persons or entities that are not employed by a covered entity but perform or assist in performing on behalf of a covered entity, a function or activity regulated by HIPAA. A member of a covered entity’s workforce is not one of its Business Associates, but a covered entity could in theory be a Business Associate of another covered entity depending on the services it provides.

Use and Disclosure of PHI

The HIPAA Privacy Rule limits how PHI can be used and disclosed to protect patient healthcare and payment information while attempting to avoid the creation of unnecessary barriers impacting delivery of healthcare services.