What is HIPAA Support?
Complete compliance with the HIPAA regulations requires both technical and administrative knowledge. HIPAA support – comprehensive HIPAA support – consists of companies assisting covered entities and business associates in becoming compliant with the HIPAA Rules. These rules for which HIPAA support can be provided include the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. HIPAA support for the Privacy Rule is discussed below.
HIPAA Support: The HIPAA Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI). PHI is a subset of individually identifiable health information. HIPAA support services are services that a covered entity can use to ensure that it meets its regulatory obligations.
What is Individually Identifiable Health Information?
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
- Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and
- That identifies the individual; or, with respect to which, there is a reasonable basis to believe the information can be used to identify the individual.
What is Protected Health Information?
Protected health information means individually identifiable health information that is:
- Transmitted by electronic media;
- Maintained in electronic media; or
- Transmitted or maintained in any other form or medium.
Individually identifiable health information that is excluded from the definition of protected health information includes (among other things):
- Employment records held by a covered entity in its role as an employer; and
- Education records covered by the Family Education Rights and Privacy Act (FERPA).
Under HIPAA, protected health information (PHI) is any piece of information in an individual’s medical record that is created, used, or disclosed during the course of diagnosis or treatment, that can be used to uniquely identify the patient.
According to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the 18 types of information that qualify as PHI include:
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
The HIPAA Privacy Rule protects protected health information (PHI) from unauthorized use or disclosure. HIPAA support services include services that assist covered entities with fulfilling their Privacy Rule obligation. As part of these obligations, covered entities must:
- Provide patients with full information on how their protected health information is used and disclosed: This is accomplished by giving patients a Notice of Privacy Practices that describes how an individual’s information may be used or shared, specifies an individual’s legal rights with respect to their protected health information held by the covered entity, and the covered entity’s legal duties.
- Provide patients with access to their health information: Patients have the right to inspect, review, and receive a copy of health information about themselves held by covered entities or business associates in a designated record set, which includes a healthcare provider’s medical and billing records. Generally, these health plans and providers have to comply with requests for access within 30 days.
- Amending patient information: Patients have the right to request that covered entities amend their protected health information in a designated record set when that information is inaccurate or incomplete. If a covered entity accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the covered entity knows might rely on the information. If the request is denied, covered entities must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record.
- Accounting of disclosures: Individuals have a right to receive an accounting of disclosures, which is a listing of when a HIPAA covered entity has shared the individual’s PHI with a person or organization outside of the entity. Accounting is only required for certain disclosure purposes. A covered entity must provide an accounting of disclosures made during the accounting period, which is six years immediately preceding the accounting request, but a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.
- Rights to restrict information: Individuals have the right to request that a covered entity restrict use or disclosure of protected health information for treatment, payment or healthcare operations, disclosure to persons involved in the individual’s healthcare or payment for healthcare, or disclosure to notify family members or others about the individual’s general condition, location, or death. A covered entity is under no obligation to agree to requests for restrictions; however, a covered entity must have a procedure to evaluate all requests. A covered entity that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency.