HIPAA applies to health plans, clearinghouses, and health care providers. This legislation is often considered the “high water mark” for how entities “balance risks to privacy against valuable uses of information” (Ohm 2010). There are two key regulations that emerged from HIPAA: the Privacy Rule and the Security Rule.
a. Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)
Under the Privacy Rule, HIPAA-covered entities cannot disclose individually identifiable health information—known as protected health information (PHI)—unless the individual has authorized the release in writing, or the disclosure or use is permitted under the Privacy Rule’s exceptions. These exceptions allow for the information to be shared within the covered entity for treatment, payment, or health care operations or for public interest and benefit activities (for example, law enforcement purposes or public health activities.) PHI includes information and demographic data related to an individual’s past, present, or future physical or mental health and the provision or payment of health care services (HHS 2003).
De-identified PHI can be disclosed if the data no longer identifies the individual or provides a reasonable basis to identify the individual. HIPAA-covered entities must de-identify data using one of two methods: receive a formal determination of de-identification by a qualified statistician or by removing 18 specific identifiers (the “Safe Harbor” method), such as names, addresses, and account number (HHS 2012).
Under the Safe Harbor method, the following 18 identifiers of the individual or his or her relatives, employers, and/or household members must be removed:
- All geographic subdivisions smaller than a state. (The first three digits of the ZIP code may be included if the geographic region formed by combining all areas with the same first three digit ZIP code has more than 20,000 residents. Geographic regions with 20,000 or fewer residents will have a ZIP code of 000.)
- All dates (except year) directly related to an individual, such as birth date, admission or discharge date, date of death, and all ages over 89 and dates (including year) that indicate such age. Ages and information related to ages over 89 can be aggregated into a single category of 90 years or older
- Telephone Numbers
- Fax Numbers
- E-mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- IP addresses
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Following removal of the 18 identifiers, the HIPAA-covered entity cannot “have actual knowledge that the information could be used alone or in combination with other information to identify an individual” (Office for Civil Rights 2012).
b. The Security Standards for the Protection of Electronic Protected Health Information (The Security Rule)
The Security Rule established a national security standard to safeguard health information and addressed the technical and non-technical safeguards that entities must put in place to uphold the Privacy Rule standards. Under the Security Rule, entities must “ensure the confidentiality, integrity, and availability” of all PHI that are created, received, maintained, or transmitted electronically; identify and protect against “reasonably anticipated threats” to security or integrity of data and uses or disclosures; and ensure workforce compliance. The rule includes physical and technical safeguards and other organizational and policy requirements that entities must implement (HHS no date).