The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 is widely known as one of our country’s most important privacy protection laws. It had profound implications for healthcare providers, insurers, and other organizations that come into contact with protected health information. Regulators take HIPAA very seriously, and fines be costly if government agencies determine that patient privacy has not been adequately protected. In addition to those financial penalties, organizations may suffer repetitional damage as a result of HIPAA violations.
HIPAA’s privacy protections are covered under the “HIPAA Privacy Rule”. So which information does HIPAA protect, exactly? Let’s begin with a few important definitions:
“Protected health information” (PHI) is individually identifiable health information that is maintained or transmitted by a covered entity; and which was created, used, or disclosed in the course of medical diagnosis or treatment. The law carves out a few exceptions, including educational records maintained under FERPA, as well as certain employment records maintained by healthcare providers and other covered entities.
“Covered entity” refers to specific organizations that are subject to the HIPAA Privacy Rule, including healthcare providers, insurers and HMOs, and healthcare clearinghouses.
“Electronic protected health information (ePHI)” simply refers to any PHI maintained or transmitted in electronic form.
What Makes Information “Personally Identifiable”?
Information may be considered “personally identifiable” under the HIPAA Privacy Rule if it contains any of the following data points pertaining to a patient:
- Name
- Address
or any subset of address data that could be used to identify a location within a US state or territory. For example, a zip code or county might be considered personally identifiable, but merely listing a patient’s state of residence would not. - Dates
such as date of birth, admission or discharge dates, death dates, and exact ages of individuals under than 89 - Telephone numbers
including fax numbers and cell phone numbers - Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Other account numbers
including credit card numbers, pharmacy card numbers, etc. - Certificate and license numbers
- Vehicle identifiers
including license plate registration numbers or similar information - Device identifiers and serial numbers
including that which is associated with medical equipment used by the patient - Website URLs
associated with the individual, including social media accounts or URLs that point to the patient’s medical records or accounts - IP addresses
- Biometric identifiers
including fingerprints, voice prints, and retina scans, for example - Photographs
including full-face photos or any other pictures from which a patient could and be personally identified - Any other unique identifying numbers, characteristics, or codes
When is it OK to Share PHI?
Obviously, it is sometimes necessary for certain organizations to share PHI with one another. Healthcare providers, for example, must communicate which services have been provided to a patient, including the diagnosis and treatment. While that scenario sounds obvious, there are a number of less obvious situations that also call special attention in order to ensure HIPAA compliance. For example, companies that host e-mail servers, third-party billing companies, or providers ofHIPAA-compliant fax services handle PHI on a routine basis, even though they may not necessarily be the ultimate recipients of it.
These organizations must all understand the critical importance of patient privacy and have measures in place to safeguard it. Legally, it’s your responsibility to make sure that these business associates understand the obligation to safeguard PHI, and agree to take the appropriate measures themselves to protect the PHI that has been entrusted to you.
Whenever a covered entity shares PHI with another party, they are ultimately responsible for making sure that it remains secure according to HIPAA guidelines. The best way of handling this is by getting a signed business associate agreement (BAA) from vendors or other business partners who may be sending, receiving, or acting as an intermediary for PHI or ePHI. As part of our HIPAA-compliant Healthcare Fax, WestFax provides an industry-standard Business Associate Agreement. Our BAA agreement satisfies the Health and Human Services (HHS) standards for Health Information Privacy (HIP). Alternatively, we can work with your legal advisors to tailor a custom BAA to meet your needs.
There are a few other scenarios in which PHI may be shared, including for marketing or research; but a written HIPAA Authorization must be obtained from the patient, or all personally identifiable information must be removed before the information is shared.
At WestFax, we provide best-in-class HIPAA-compliant fax services hosted in SOC 2 compliant data centers with 24×7 guards, advanced video surveillance, biometric ID access, and server cages. We use the latest technical security controls to prevent unauthorized access to archived faxes and to in-transit data when faxes are being sent and received.
If your organization is looking to update your technology and work with a fax provider who understands HIPAA, contact us today, or call us at 800-473-6208 to discuss your needs. We’ll work with you to make sure your compliance requirements are fully satisfied.
