The Health Insurance Portability and Accountability Act of 1996 heralded the introduction set of regulations that healthcare organizations must comply with in order to protect everyone.

HIPAA regulations state the rules that govern the uses and disclosures of health information (the HIPAA Privacy Rule – see more at ComplianceHome) and physical, technical, and administrative safeguards that must be in existence so that the confidentiality, integrity, and availability of health information (the HIPAA Security Rule). Basically, these two aspects of HIPAA secure the privacy of patients and health plan subscribers.

Source: Science in the News (Harvard University)

HIPAA also helps protect patients from coming to any harm. Should health information be exposed, stolen, or impermissibly made accessible, patients and health plan members must be made aware of this breach to allow them to take action to protect themselves from any possible impact including identity theft and fraud.

The classification of information protected under HIPAA includes all health information created, deployed, maintained or sent by a HIPAA-covered entity or a business associate of a HIPAA-covered entity for medical treatment purposes, payment for healthcare services or healthcare operations.

Health data refers to diagnoses, treatment information, test results, medications, health insurance identification numbers, and all other identifiers that could lead to a patient being identified. HIPAA also includes contact information like telephone numbers, addresses, email addresses, dates of birth, and specific demographic details.

All health data collected, stored, used, or shared by a HIPAA-compliant entity that includes one of the 18 identifiers below, must be kept safe and private at all times and the permissible uses and disclosures of such information are extremely confined. In most cases, uses and disclosures are kept to healthcare operations, the supply of medical treatment or payment for healthcare.

Source: Science in the News (Harvard University)

The one exception to this is before HIPAA authorization has been obtained from a patient in which permission is granted to allow that individual’s health information to a third party or to use the information for a reason not otherwise in place by the HIPAA Privacy Rule or if the health information has been stripped of all 18 of the above identifiers.

  • Full names or surname(s) with initial
  • Geographical identifiers of a lower level than a state, aside from for the first three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit made up by joining up all zip codes with the same three digits includes in excess of 20,000 people, and the first three digits of a zip code for all such geographic units including 20,000 or fewer people is switched to 000
  • Aside from year, dates directly linked to an individual
  • Contact phone numbers
  • Contact fax numbers
  • Contact email addresses
  • Social Security specifics
  • Medical record particulars
  • Health insurance account numbers
  • Account holder data
  • Certificate/licenses
  • Vehicle identifiers including serial numbers and license details
  • Device serial numbers
  • Web Uniform Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Fingerprints, retinal prints and voice prints
  • Full face photography
  • Every other piece of the unique identifying number, characteristic, or code not including the unique code given by the investigator to code the data