What is the HIPAA Law Privacy Rule?
Before 1996, the issue of privacy of individual health information was a blip on the federal government’s radar. For years, no federal law prevented individuals’ sensitive health information from being revealed by doctors. Employers and insurance companies, in particular, took advantage of this to ask intrusive medical questions about individual medical histories, current illnesses, and other information. Many individuals could be denied a job, or denied health insurance, depending upon what the answers to these questions revealed. By 1996, when individually identifiable health information could be shared online – with, in effect, the entire world, Congress decided to act by passing the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Law Privacy Rule, a central feature of HIPAA, regulates covered entities’ use and disclosure of protected health information. The HIPAA Law Privacy Rule is discussed in greater detail below.
Who Does the HIPAA Law Privacy Rule Regulate?
Congress delegated the task of creating the HIPAA Law Privacy Rule to the Department of Health and Human Services (HHS). HHS developed the HIPAA Privacy Rule to regulate those entities that came into contact with consumer health information on a regular basis. The Privacy Rule split these entities into two groups. The first of these groups is known as “covered entities.” These entities, which include providers and health plans, perform the primary roles of healthcare treatment and payment. Since these entities hire outside companies to assist with the financial and administrative aspects associated with their primary functions, the Privacy Rule regulates these outside companies, called “business associates,” as well.
Entities that do not fall under the “covered entity” or “business associate” category are not regulated by the Privacy Rule. If they were, practical concerns would become apparent. If the Privacy Rule regulated, say, anyone with knowledge of someone’s protected health information, then something as mundane as neighbors talking across the fence about someone’s medical condition would be illegal, and subject to fines. The government, instead of reasonably regulating who can use or disclose PHI, would be acting as a speech police.
What Does the HIPAA Law Privacy Rule Regulate?
The HIPAA Law Privacy Rule does not regulate every single detail associated with someone that might be health-related. Instead, the Privacy Rule only regulates use and disclosure of protected health information (PHI). Under HIPAA, protected health information is individually identifiable information. To constitute PHI, this individually identifiable health information must relate to the past, present, or future health status of an individual. The information must be created, collected, transmitted, stored, or maintained by a covered entity or business associate. The creation, collection, transmission, storage, or maintenance must be in connection with treatment, payment, or healthcare operations. Unique identifying information that constitutes PHI include:
◈ Names (full or last name and initial).
◈ All geographical identifiers smaller than a state, except for the initial three digits of a zip code, if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
◈ Dates (other than year) directly related to an individual.
◈ Phone numbers.
◈ Fax numbers.
◈ Email addresses.
◈ Social Security numbers.
◈ Medical record numbers.
◈ Health insurance beneficiary numbers.
◈ Account numbers.
◈ Certificate/license numbers.
◈ Vehicle identifiers (including serial numbers and license plate numbers).
◈ Device identifiers and serial numbers.
◈ Web Uniform Resource Locators (URLs).
◈ Internet Protocol (IP) address numbers.
◈ Biometric identifiers, including finger, retinal and voice prints.
◈ Full face photographic images and any comparable images.
◈ Any other unique identifying number, characteristic, or code.
If information is not individually identifiable, or it is not related to health status, then the information does not constitute protected health information. To constitute PHI, information has to relate both to healthcare, and to a particular individual; it is the individual’s privacy with respect to that healthcare that is the concern of the Privacy Rule.
If all of these above identifiers are removed (de-identified) from health data, it ceases to be protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.