Even if patients have heard of the Health Insurance Portability and Accountability Act of 1996, few will know of its great importance in the healthcare sector. After its introduction in 1996, HIPAA has had a long history of revisions and additions, all with the goal of increasing patient protections. Though HIPAA has many regulations regarding health insurance plans and employer-provided health insurance, it is usually discussed in reference to its regulations on data privacy.
HIPAA defines a class of sensitive data as “protected health information,” or PHI, as part of its Privacy Rule of 2003. All of this information can be used to trace an individual, and if it is shared unnecessarily, it can leave the patient vulnerable to fraud. There are other advantages, too, of keeping the data private: some healthcare conditions are regrettably still the subject of much stigma, particularly those related to sexual health. There is also inherent importance to patient privacy, as patients should have the right not to have their public health data freely available to anyone.
PHI includes the following:
- Name
- Telephone numbers
- Addresses or geographical information smaller than the State level (except the first three digits of a ZIP code)
- Social Security numbers
- Fax Numbers
- Email addresses
- Medical records
- Health insurance numbers/beneficiary numbers
- Account numbers (e.g., bank account)
- Certificate or license numbers
- Vehicle license plates or other identifiers
- Device serial numbers
- URLs associated with the patient
- IP addresses
- Biometric identifiers (e.g. finger, retinal and voice prints)
- Photographs or video footage
As part of the HIPAA requirements, all healthcare professionals and those coming into contact with PHI must have some form of HIPAA compliance training. Amongst other things, it will require them to learn to identify what PHI is and how best to protect it. Without HIPAA compliance and the provisions, the professionals may not be in place at a national level, and thus patients may be left vulnerable.
Of course, as well as defining PHI, HIPAA also stipulates how healthcare professionals should go about protecting it. All data must be protected in line with the Security Rule, which stipulates a number of safeguards that must be in place to be HIPAA-compliant. These safeguards are in three categories: administrative, which includes things like the aforementioned training courses, physical, which can be as simple as having locking desks, and technical, which protect digital data and can include things like passwords or encryption. The Office for Civil Rights is very strict about ensuring these safeguards are in place, and regularly issues corrective action plans or even financial penalties.
source: techguard.comAll of these measures are in place for a simple reason: patients need to be protected from the unauthorized disclosure of data. This can take many forms – cyberattacks deliberately target healthcare systems to access lucrative data, while some employees may make mistakes that put patients at risk. Regardless, HIPAA seeks to minimize the risk faced by patients by ensuring that healthcare professionals are aware of patient privacy rights and act to protect them from harm.