HIPAA Privacy Guidelines

HIPAA Privacy Guidelines

How the HIPAA Privacy Guidelines Protect Patient Confidentiality

The HIPAA privacy guidelines were first introduced in 2002 with the aim of protecting the patient confidentiality without obstructing the flow of information required to provide treatment. The guidelines defined what data should be considered as Protected Health Information (PHI), who should be allowed access to it, when it could be disclosed, and for what purposes.

The HIPAA privacy guidelines apply to any entity that may have access to information about a patient. Each entity has to implement the necessary precautions to prevent the risk of harm to a patient´s finances or reputation if there was to be an unauthorized disclosure of PHI. Therefore, the HIPAA privacy guidelines not only apply to healthcare providers and the organizations they work for, but also health insurers, healthcare clearing houses and employers that provide in-house health plans.

What is Protected Health Information?

The HIPAA privacy guidelines define PHI as any “individually identifiable health information” that individually or together could reveal a patient´s identity. Not only does this definition cover such information as name, address, ZIP code or telephone number, but also any information that could relate to:

  • the past, present or future physical or mental condition of a patient,
  • the provision of any treatment or healthcare service to a patient, or
  • the past, present, or future payment for treatment or healthcare services to a patient.

Consequently, car registration numbers, health plan coverage, and even examples of a patient´s handwriting are included in the HIPAA privacy guidelines for the definition of PHI – importantly, in image and video format as well as when recorded in written format.

Therefore, if a medical professional took a photograph of a patient´s eczema in order to collaborate on the patient´s condition with colleagues – and the identity of the patient could be determined by a distinguishing feature – the photograph would be considered to be PHI by the HIPAA privacy guidelines.

PHI: Who, When and for What?

The only people that should have access to PHI are employees of HIPAA covered entities. The disclosure of PHI without a patient´s authorization by employees of HIPAA covered entities is allowed for the purposes of providing a healthcare service to the patient or for payment for the healthcare service.

The only other times that PHI can be disclosed without a patient´s authorization is when it is required by law, required by the Office for Civil Rights as part of a HIPAA compliance audit, or when disclosure is in the public´s interests or in the patient´s interests – for example, if the patient is a victim of child abuse, neglect or domestic violence.

Even in these circumstances – or when a patient has given their authorization for their PHI to be disclosed for research, fundraising or marketing purposes – the HIPAA privacy guidelines stipulate that covered entities have to adhere to the “Minimum Necessary Rule” and limit the amount of information given to the minimum necessary to achieve the stated purpose.

Fines for the Unauthorized Disclosure of PHI

In 2013, the HIPAA privacy guidelines were extended to Business Associates and amended to increase the rights of patients to receive and correct details held about them by a covered entity. At the same time, an amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act changed the criteria for reporting breaches of the HIPAA privacy guidelines and the value of fines that could be imposed on non-compliant covered entities.

Whereas previously, covered entities did not have to report breaches of PHI unless there was a significant risk of harm to a patient´s reputation or finances, the revised criteria now made the failure to report a breach of PHI an offence unless it could be proven and documented that a low risk of harm existed. The fines for the unauthorized disclosure of PHI also increased dramatically up to $50,000 per day per breach, with an upper annual limit of $15 million per breach.

According to the Department of Health and Human Resources´ Office for Civil Rights (OCR), many breaches of PHI were avoidable. The most common cause for unauthorized disclosures of PHI is the theft of personal mobile devices and portable media (laptops, Smartphones and USB flash drives). Healthcare organizations and other HIPAA covered entities are consequently advised to implement measures to prevent unauthorized access to PHI in compliance with the HIPAA privacy guidelines and HIPAA Security Rule.

Further Details about the HIPAA Privacy Guidelines

If you would like further details about the HIPAA privacy guidelines, and potential solutions for safeguarding the integrity of PHI, you are invited to download and read our “HIPAA Compliance Guide”. Our guide elaborates on the requirements of the HIPAA privacy guidelines and the HIPAA Security Rule as well as providing information about secure messaging solutions – communication platforms for keeping PHI secure in transit.

The information about secure messaging solutions is supported by case studies from healthcare organizations that have implemented secure communication platforms to comply with the HIPAA privacy guidelines. These case studies demonstrate how secure messaging solutions are cost-effective mechanisms that help to streamline workflows and increase productivity within a healthcare environment.