HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a complex piece of legal documentation on which all healthcare workers receive training to understand and implement. However, though the document directly affects patients, they are often not informed on what the document means. HIPAA primarily relates to patient privacy and aims to protect the patient against things such as fraud or identity theft.
There are two major components of HIPAA that relate to patient privacy: The Privacy Rule, introduced in 2003, and the Security Rule, introduced in 2005. The Privacy Rule offered a definition of “protected health information” as one of the following:
· Telephone numbers
· Addresses or geographical information smaller than the State level (except the first three digits of a ZIP code)
· Social Security numbers
· Fax Numbers
· Email addresses
· Medical records
· Health insurance numbers/beneficiary numbers
· Account numbers (e.g. bank account)
· Certificate or license numbers
· Vehicle license plates or other identifiers
· Device serial numbers
· URLs associated with the patient
· IP addresses
· Biometric identifiers (e.g. finger, retinal and voice prints)
· Photographs or video footage
Any piece of information that falls within this definition is considered to be “sensitive data” and thus must be protected by a wide range of means. If it is found that any of these “identifiers” (so called as they can be used to identify the individual to whom they pertain) has been accessed by an unauthorized individual, it is considered to be a data breach. The importance of keeping PHI, which includes all medical records, safe is not to be understated. Health data reaches a high price on the black market as it usually contains several pieces of highly valuable information such as social security numbers or credit card numbers (which are needed for billing). By taking pieces of information from different medical records, criminals can create false identities and then go on to commit fraud.
However, HIPAA requires that a number of safeguards be put in place to help prevent data breaches. These safeguards are described in the Security Rule and can be divided into three broad categories: administrative, physical and technical. Administrative safeguards include things such as regular training courses and risk assessments, the latter of which aims to spot risks and correct them before anything bad occurs. Technical safeguards include things such as password protection policies, minimum password requirements and two-factor authentication.
All of these act to prevent unauthorized access to PHI. However, another technical safeguard – encryption – must be in place to ensure that if any data is accessed, it cannot be read. There are also numerous physical safeguards that must be in place, such as clear-desk policies, restricted work areas or simply locking monitors when someone leaves their desk. These may seem like simple measures, but without them it would be easy for individuals to walk into a hospital or other healthcare facility and steal patient records.
The Office for Civil Rights, who oversees HIPAA enforcement, puts a huge emphasis on HIPAA compliance, and regularly prosecutes those that are don’t enact all of the necessary safeguards to protect patient data.