If your business handles patient information, keep reading. Patient information security is highly regulated and should be taken very seriously. Maintaining proper patient records and keeping the information they contain confidential is your legal requirement. Violations to HIPPA regulations can cost you your reputation as well as thousands in fines.
So what sensitive information is protected by HIPPA? According to the HIPAA Journal there are 18 identifiers that should concern you when you are handling patient information. This data set is referred to as Personal Health Information (PHI) and each item is subject to the HIPAA Privacy Rules. The identifiers include:
- Addresses (including subdivisions smaller than state such as street, city, county, and zip code)
- Dates (except years) directly related to an individual, such as birthdays, admission/discharge dates, death dates, and exact ages of individuals older than 89
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate and license numbers
- Vehicle identifiers
- Device identifiers and serial numbers
- Website URLs
- IP addresses
- Biometric identifiers, including fingerprints, voice prints, iris and retina scans
- Full-face photos and other photos that could allow a patient to be identified
- Any other unique identifying numbers, characteristics, or codes
Now that you know what constitutes PHI and is subsequently protected under HIPAA who exactly should be concerned? The list below as posted by the CDC summarizes the individuals and organizations that are subject to the Privacy Rule and thus considered responsible:
- Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health plans: Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.
- Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
- Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
- Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.
HIPAA regulations are ever changing and evolving. The Team of experts at DataShield is committed to keeping you up-to-date and ensuring the safety and security of medical records you handle. For more information about DataShield’s services including our HIPAA compliance call us at 402.898.5000.