Healthcare organizations must collect patient data to complete business functions, therefore understanding HIPAA compliance requirements is essential. Understanding how to secure protected health information (PHI) and what constitutes PHI is a large portion of what it means to be HIPAA compliant. PHI is any individually identifying health information, categorized into 18 patient identifiers under HIPAA.
The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers as follows:
Geographical elements (such as a street address, city, county, or zip code)
Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
Social security numbers
Medical record numbers
Health insurance beneficiary numbers
Device attributes or serial numbers
Digital identifiers, such as website URLs
Biometric elements, including finger, retinal, and voiceprints
Full face photographic images
Other identifying numbers or codes
18 HIPAA Identifiers and the HIPAA Privacy Rule
The HIPAA Privacy Rule established standards for the use and disclosure of PHI. The law requires organizations to adopt the “minimum necessary rule” which states that covered entities must take reasonable steps to limit the use and disclosure of PHI. As such CEs must access only the information necessary to accomplish their intended purpose. The HIPAA Privacy Rule also lays out patient rights in regards to their PHI.
Notice of Privacy Practices (NPP): must be given to patients upon intake. It must be written in a clear manner that patients can easily understand. An NPP describes patient rights in terms of the 18 HIPAA unique identifiers. An NPP also explains what a covered entity (CE) may or may not do with PHI.
Request Access to Medical Records: patients have the right to request their medical records. Patients must fill out an authorization form to do so.
Request an Amendment to Medical Records: the HIPAA Privacy Rule mandates that patients have the right to request an amendment of PHI when they believe there has been an error on their record. It is up to the discretion of the covered entity (CE) to determine if the record is accurate.
Request Special Privacy Protection for PHI: patients have the right to restrict the disclosure of PHI. However, CEs are not required to agree to the request.
Parents Access to Minor’s Medical Records: in most cases a parent or legal guardian can access a minor’s medical records. The HHS provides examples for situations in which parents cannot access a minor’s medical records.
The minor consents to care where parental consent is not required
A court decides that a minor must receive care
A parent agrees that the minor and covered entity have a confidential relationship
18 HIPAA Identifiers and the HIPAA Security Rule
The HIPAA Security Rule mandates that protected health information (PHI) is secured in the form of administrative, physical, and technical safeguards. As part of the HIPAA Security Rule, organizations must have standards for the confidentiality, integrity, and availability of PHI.
Confidentiality: PHI may not be disclosed without prior patient authorization
Integrity: PHI that is transmitted or maintained must only be accessed by those who need access to perform job functions
Availability: organizations and patients must be able to easily access PHI
Need Assistance with your HIPAA Compliance?
Compliancy Group can help! Our cloud-based HIPAA compliance software, the Guard™, gives you the flexibility to work on your HIPAA compliance from anywhere that has an internet connection. Our expert Compliance Coaches™ will guide you through our six stage implementation process enabling you to Achieve, Illustrate, and Maintain™ HIPAA compliance. Contact Compliancy Group to learn more about HIPAA and PHI regulations.