When it comes to HIPAA Privacy Rule compliance, covered entities want to ensure they put proper safeguards in place to protect patient rights. However, as with any business operation, it is important to a strike a balance of doing what is necessary. Going overboard with nonessential provisions may be just as injurious as not putting enough security and privacy measures in place. Part of reaching that equilibrium involves knowing what does and does not constitute sensitive information.
What types of electronic protected health information does the HIPAA Privacy Rule cover?
Answer: The HIPAA Privacy Rule safeguards PHI and ePHI. The latter holds the same definition as PHI, but covered entities store it on electronic media, such as a laptop or mobile device.
According to the U.S. Department of Health and Human Services, PHI is "individually identifiable health information" that covered entities or business associates hold or transmit, and the HIPAA Privacy Rule protects this information. Typically, documents must have both an identifier and health data to be considered PHI.
Common identifiers include:
- Patient name.
- Birth date.
- Postal address.
- Social Security number.
- Telephone number.
Common health data include:
- Mental health condition, whether past, present or future.
- Treatments an individual received.
- Health care payments.
Examples of PHI include medical records, laboratory reports and billing information.
What kind of information is not protected under HIPAA?
Answer: Health data that does not contain individual identifiers is typically not considered PHI. Likewise, identifiers alone do not constitute PHI when they represent something other than health information.
Examples of information not protected under HIPAA include employment records of a covered entity, Family Educational Rights and Privacy Act records and heart rate readings without personally identifiable user information.
Many covered entities choose to de-identify documents by stripping any information that could link the health data to an individual, so the health care information is no longer subject to the Privacy Rule. This strategy allows providers to use data for research purposes.
Penalties associated with noncompliance
There are several ways covered entities may violate HIPAA by not understanding what constitutes ePHI. No matter the reason, unauthorized disclosure of protected information is considered a violation, making the covered entity subject to penalties and fees. However, if a provider did so unknowingly or due to reasonable cause, he may not have to pay as high of a fine as someone who released PHI due to willful neglect. Additionally, it is not considered a violation to place safeguards on non-PHI documents, but exercising unnecessary precautions may hinder business operations.