When most people hear HIPAA, they immediately think of the privacy of their personal health information. In legal parlance, this is referred to as protected health information (PHI) or electronic protected health information (ePHI). There are some common misconceptions as to what exactly HIPAA does or does not protect, though.
HIPAA’s privacy protections are covered under the “HIPAA Privacy Rule”. Many people are unaware, though, that this particular law doesn’t necessarily cover all of their personal health information, and that these protections only apply to specific organizations as defined under the law.
It’s important to understand the term “covered entity”. It refers to specific organizations subject to the HIPAA Privacy Rule. That includes healthcare providers, insurers and HMOs, and healthcare clearinghouses. It also extends to any of the “business associates” with whom those covered entities share information. That might include third-party billing services, e-mail providers, software companies that host databases containing patient information, or cloud-based fax services.
Covered entities must take considerable care to be sure that any such third-party service provider has signed a business associate agreement (BAA) acknowledging its obligations to maintain the privacy and security of any PHI that it may receive, store, or transmit. Unfortunately, it might not always be obvious when such information is being handled by a third party. In 2016, for example, an orthopedic clinic contracted with an external vendor to convert its x-ray films to a digital format, and then to recycle the films. Because the clinic failed to get a signed BAA from the vendor, they were charged with violating the HIPAA Privacy Rule and were ordered to pay a $750,000 fine.
Not all organizations that collect PHI are covered under HIPAA. Educational institutions, for example, are instead subject to FERPA, which governs privacy of student information. A student who visits the school nurse, for example, would be protected by FERPA, not by HIPAA.
Employers may also maintain certain information containing medical information about their employees without necessarily being subject to HIPAA. Even if an organization is otherwise considered a covered entity, its handling of such employee records do not automatically fall under that HIPAA Privacy Rule. A hospital that maintains records about the vaccinations status of its employees would not be subject to HIPAA with respect to its handling of those employing records. If, however, an employee becomes a patient of the healthcare provider where they are employed, their records would then be subject to the HIPAA Privacy Rule.
In order for information to be protected under HIPAA, it must be “personally identifiable”, and it must be related to a person's past, present, or future physical or mental health or condition; to any medical treatment provided to a person; or to past, present, or future payment for healthcare.
Information may be deemed as “personally identifiable” if it includes an individual’s name, address, photograph, phone numbers or e-mail addresses, date of birth or Social Security number. Account numbers that could be traced to an individual, including credit card numbers or health plan beneficiary numbers would also render the information personally identifiable. Even information about a person’s vehicle (such as a license plate number) or the serial numbers of medical devices used by a patient could tie the information back to an identifiable individual, and should be treated with caution.
Some information may be shared without violating the HIPAA Privacy Rule. PHI may be shared for marketing or research purposes, provided that a written HIPAA Authorizationis obtained from the patient. For research purposes, PHI may be shared without such authorization if all personally identifiable information is removed prior to sharing the information.
The COVID-19 pandemic has also led to some special exceptions. These include disclosure to first responders and public health authorities in cases where such disclosure is required by law, or when it is necessary to protect the public, or to protect healthcare workers or first responders. There are also exceptions for reporting COVID-19 infections to Health Information Exchanges (HIEs), which are organizations that enable the sharing of electronic protected health information (ePHI) among authorized parties, including public health authorities (PHAs) and researchers.
If your organization is a covered entity under HIPAA, or if you are a business associate of such an organization, it’s important to work with vendors that understand the rules and have the right systems and practices in place to assure full compliance. At WestFax, we provide best-in-class HIPAA compliant fax serviceshosted in in SOC 2 compliant data centers with 24×7 guards, advanced video surveillance, biometric ID access, and server cages. We use the latest technical security controls to prevent unauthorized access to archived faxes, and to in-transit data when faxes are being sent and received.
If your organization is looking to update your technology, contact us today, or call 800-473-6208 to discuss your needs with us. We’ll work with you to make sure your compliance requirements are fully satisfied.