What Information is Protected Under HIPAA Law?
What Information is Protected Under HIPAA Law
The Healthcare Insurance Portability and Accountability Act (HIPAA) consist of five Titles, each with their own set of HIPAA laws. Four of the five sets of HIPAA laws are straightforward and cover topics such as the portability of healthcare insurance between jobs, the coverage of persons with pre-existing conditions, and tax provisions for medical savings accounts.
However, Title II – the section relating to administrative simplification, preventing healthcare fraud and abuse, and medical liability reform – is far more complicated. It contains subsets of HIPAA laws which sometimes overlap with each other and several of the provisions in Title II have been modified, updated, or impacted by subsequent acts of legislation.
Furthermore, since HIPAA was enacted, the U.S. Department for Health and Human Services (HHS) has promulgated six sets of “Rules”; which, as they are codified in 45 CFR Parts 160, 162, and 164, are strictly speaking HIPAA laws within HIPAA laws. These are most commonly referred to as the Administrative Simplification Rules even though they may also address the topics of preventing healthcare fraud and abuse, and medical liability reform.
What Does Title II of the HIPAA Law Cover?
When the original HIPAA Act was enacted in 1996, the content of Title II was much less than it is today. Mostly Title II focused on definitions, funding the HHS to develop a fraud and abuse control program, and imposing penalties on Covered Entities that failed to comply with standards developed by HHS to control fraud and abuse in the healthcare industry. However, the first two Rules promulgated by HHS were the Transactions and Code Set Standards and Identifier Standards.
The HIPAA Transactions and Code Set Standards
The HIPAA Transactions and Code Set Standards standardize the electronic exchange of patient-identifiable, health-related information in order to simplify the process and reduce the costs associated with payment for healthcare services. They are based on electronic data interchange (EDI) standards, which allow the electronic exchange of information from computer to computer without human involvement.
The HIPAA Identifier Standards
The HIPAA Identifier Standards require covered healthcare providers, health plans, and health care clearinghouses to use a ten-digit “National Provider Identifier” number for all administrative transactions under HIPAA, while covered employers must use the Employer Identification Number issued by the IRS. A subsequent Rule regarding the adoption of unique Health Plan Identifiers and Other Entity identifiers was rescinded in 2019.
The HIPAA Privacy and Security Rules
One of the clauses of the original Title II HIPAA laws – sometimes referred to as the medical HIPAA law – instructed HHS to develop privacy regulations for individually identifiable health information if Congress did not enact its own privacy legislation within three years. Consequently, the first draft of the HIPAA Privacy Rule was not released until 1999; and due to the volume of stakeholder comments, not finalized until 2002. The HIPAA Security Rule was issued one year later.
The HIPAA Privacy Rule
The HIPAA Privacy Rule – also known as the “Standards for Privacy of Individually Identifiable Health Information” – defines Protected Health Information (PHI), who can have access to it, the circumstances in which it can be used, and who it can be disclosed to without authorization of the patient. The Privacy Rule also includes a sub-rule – the Minimum Necessary Rule – which stipulates that the disclosure of PHI must be limited to the minimum necessary for the stated purpose.
The HIPAA Security Rule
Although the HIPAA Privacy Rule applies to all PHI, an additional Rule – the HIPAA Security Rule – was issued specifically to guide Covered Entities on the Administrative, Physical, and Technical Safeguards to be implemented in order to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI). Out of all the HIPAA laws, the Security Rule is the one most frequently modified, updated, or impacted by subsequent acts of legislation.
The HIPAA Enforcement and Breach Notification Rules
The HIPAA Enforcement Rule (2006) and the HIPAA Breach Notification Rule (2009) were important landmarks in the evolution of the HIPAA laws. They gave HHS the authority to investigate violations of HIPAA, extended the scope of HIPAA to Business Associates with access to PHI/ePHI, and pathed the way for the HIPAA Compliance Audit Program which started in 2011 and reveals where most Covered Entities and Business Associates fail to comply with the HIPAA laws.
The HIPAA Enforcement Rule
HHS had originally intended to issue the HIPAA Enforcement Rule at the same time as the Privacy Rule in 2002. However, due to a further volume of stakeholder comments relating to the definitions of covered entities and addressable requirements, and the process for enforcing HIPAA, the HIPAA Enforcement Rule was delayed for four years. The version issued in 2006 has since been amended by the HITECH Act (in 2009) and the Final Omnibus Rule (in 2013).
The HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires Covered Entities and Business Associates to report when unsecured PHI has been acquired, accessed, used, or disclosed in a manner not permitted by HIPAA laws. This was the first time reporting HIPAA breaches had been mandatory, and Covered Entities or Business Associates who fail to comply with the HIPAA Breach Notification Requirements can face additional penalties in addition for those imposed for the breach.
HITECH and the Final Omnibus Rule
Although the HITECH Act of 2009 and the Final Omnibus Rule of 2013 only made subtle changes to the text of HIPAA, their introduction had a significant impact on the enforcement of HIPAA laws. The passage of HITECH in particular resulted in higher fines for non-compliance with HIPAA, providing the HHS´ Office of Civil Rights with more resources to pursue enforcement action. It also gave state attorneys general the authority to take civil action for HIPAA violations on behalf of state residents.
The HITECH Act
The HITECH Act is possibly best known for launching the Meaningful Use program which incentivized healthcare providers to adopt technology in order to make the provision of healthcare more efficient. However, it also extended patients´ rights to enquire who had accessed their PHI, why, and when. The extension of patients´ rights resulted in many more complaints about HIPAA violations to HHS Office for Civil Rights.
The Final Omnibus Rule
While the Final Omnibus Rule mostly codified the provisions of the HITECH Act relevant to HIPAA, it also reversed the burden of proof when a HIPAA violation is identified. Previously, when a violation of HIPAA laws was identified that could potentially expose PHI to authorized acquisition, use, or disclosure, the burden of proof to prove a data breach had occurred rested with the HHS. With the Final Omnibus Rule, the onus is on a Covered Entity to prove a data breach has not occurred.
Ongoing Changes to HIPAA Laws
Although the last major change to HIPAA laws occurred in 2013, minor changes to what information is protected under HIPAA law are more frequent. For example, HHS is currently seeking stakeholder comments on proposed changes to the Privacy Rule that would further extend patients´ rights, improve coordinated care, and reduce the regulatory burden of complying with the HIPAA laws.
What are the HIPAA Laws? FAQs
What does HIPAA law protect?
The HIPAA Privacy Rule protects 18 identifiers of individually identifiable health information. When these data elements are included in a data set, the information is considered protected health information (PHI) and subject to the provisions of the HIPAA Privacy Rules. The identifiers are:
- Addresses (including subdivisions smaller than state such as street, city, county, and zip code)
- Dates (except years) directly related to an individual, such as birthdays, admission/discharge dates, death dates, and exact ages of individuals older than 89
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate and license numbers
- Vehicle identifiers
- Device identifiers and serial numbers
- Website URLs
- IP addresses
- Biometric identifiers, including fingerprints, voice prints, iris and retina scans
- Full-face photos and other photos that could allow a patient to be identified
- Any other unique identifying numbers, characteristics, or codes
What does the HIPAA law cover in respect of allowable uses and disclosures of PHI?
HIPAA permits protected health information to be used for healthcare operations, treatment purposes, and in connection with payment for healthcare services. Information may be disclosed to third parties for those purposes, provided an appropriate relationship exists between the disclosing covered entity and the recipient covered entity or business associate.
What does the HIPAA law say about sharing PHI with other entities?
A covered entity can only share PHI with another covered entity if the recipient has previously or currently a treatment relationship with the patient and the PHI relates to that relationship. In the case of a disclosure to a business associate, a business associate agreement must be obtained. In all cases, the minimum necessary standard applies. Disclosures must be restricted to the minimum necessary information that will allow the recipient to accomplish the intended purpose of use.
Do the HIPAA laws prohibit all other uses of PHI?
HIPAA does not prohibit the use of PHI for all other purposes. PHI can be used for marketing purposes, can be provided to research organizations, and can even be sold by a healthcare organization. However, prior to any use or disclosure of health information that is not expressly permitted by the HIPAA Privacy Rule, one of two steps must be taken:
- A HIPAA authorization must be obtained from a patient, in writing, permitting the covered entity or business associate to use the data for a specific purpose not otherwise permitted under HIPAA.
- The health information must be stripped of all information that allow a patient to be identified.
If you would like further information about the HIPAA laws, who the HIPAA laws cover, and what information is protected under HIPAA law, please read our HIPAA Compliance Checklist. The checklist goes into greater detail about the background and objectives of HIPAA, and how technology solutions are helping Covered Entities and Business Associates better comply with the HIPAA laws.