HIPAA Privacy Laws

The Objectives of the HIPAA Privacy Laws

The HIPAA privacy laws were first enacted in 2002 with the objective of protecting the confidentiality of patients´ healthcare information without handicapping the flow of information that was required to provide treatment.

The HIPAA privacy laws control who can have access to Protected Health Information (PHI), the conditions under which it can be used, and who it can be disclosed to.

Use this article as a guide in conjunction with our free HIPAA Law Checklist which you can request using any form on this page.

The HIPAA privacy laws not only apply to healthcare providers and the organizations they work for. The laws apply to any entity that may have access to healthcare information about a patient that – if it were to fall into the wrong hands – could present a risk of harm to the patient´s finances or reputation.

Therefore health insurers, healthcare clearing houses and employers that provide in-house health plans also have HIPAA compliance obligations.

The Information Protected by the HIPAA Privacy Laws

The information protected by the HIPAA privacy laws is known as “Individually Identifiable Health Information”. This is any information that can reveal a patient´s identity in respect of:

• the patient´s past, present or future physical or mental condition,
• the provision of healthcare treatment and healthcare services to the patient, or
• the past, present, or future payment for the provision of healthcare to the patient.

Because the protected data includes payment information, individually identifiable health information not only includes data such as names, date of birth, Social Security numbers and telephone numbers, but also car registration numbers, credit card information, and even examples of a patient´s handwriting.

It is important for covered entities to note that the HIPAA privacy laws not only apply to data saved in a written format. Images and videos that contain any individually identifiable health information are also protected by the HIPAA privacy laws.

If, for example, a healthcare provider took a photo of a patient´s wound – and the identity of the patient could be established by any distinguishing feature – the confidentiality and disclosure of the photograph would be subject to the conditions within the HIPAA privacy laws.

PHI: Who, When and How?

The HIPAA privacy laws concerning PHI apply to every covered entity and every third party service provider (or “Business Associate”) with whom the covered entity does business. These are the only parties who should have access to PHI unless authorization is given by the patient for it to be disclosed for research, marketing, or fundraising purposes.

Disclosure of PHI for the purposes of treatment, payment or healthcare operations must be contained within a covered entity or Business Associate – unless the disclosure is required by law, is in the public´s best interests or in the patient´s best interests (for example, if the patient is a victim of child abuse, neglect or domestic violence).

Even then, the HIPAA privacy laws stipulate that covered entities should adhere to the “Minimum Necessary Rule” – a rule that states the disclosure of PHI should only be the minimum necessary to achieve the stated purpose. Each request for disclosure should also be reviewed on a case-by-case basis, rather than give access to PHI to a Business Associate because they have been allowed access previously.

The Unauthorized Disclosure of PHI

Each covered entity is required to implement safeguards to prevent the unauthorized disclosure of PHI. These safeguards will vary depending on the size of the covered entity and the nature of healthcare it provides, but the penalties for failing to safeguard the integrity of PHI can be extremely high. Healthcare organizations that deliberately or negligently fail to adhere to HIPAA privacy laws can be fined up to $50,000 per offence per day.

According to the Department of Health and Human Resources´ Office for Civil Rights, the most common reason for the unauthorized disclosure of PHI is the loss or theft of personal mobile devices and portable media devices (laptops, Smartphones and USB flash drives). For this reason, many healthcare organizations have chosen to implement secure messaging solutions as appropriate replacements for unsecure channels of communication such as SMS and email.

Secure messaging solutions encrypt PHI so that it is indecipherable and unusable should it be intercepted in transit, and they also have security mechanisms to ensure that PHI cannot be accidently or maliciously sent outside of a covered entity´s private communications network or copied to a USB flash drive. In the event that a personal mobile device is lost or stolen, administrative controls exist to remotely delete any PHI received by the device and lock the app used for secure messaging. These controls also work on desktop computers.

Are HIPAA Laws International?

Although the HIPAA Privacy, Security, and Breach Notification Rules only apply to Covered Entities located in the U.S., any business – Covered Entity or Business Associate – that subcontracts services to a third party has to ensure the privacy of Protected Health Information, the confidentiality, integrity, and availability of ePHI, and that processes exist to comply with patient access requests.

In the context of answering the question are HIPAA laws international, if – for example – a Covered Entity subcontracts services to a third party located in Europe, the European third party is required to comply with whatever provisions of HIPAA are included in the terms of a Business Associate Agreement. A Business Associate Agreement is required wherever the third party is located.

This means that an international third-party service provider must comply with the entirety of the Security Rule, the provisions of the Breach Notification Rule requiring Business Associates to notify Covered Entities of any security incident (not just data breaches), and whatever Privacy Rule provisions are written into the Business Associate Agreement. In this respect HIPAA laws are international.