Many patients will have heard of HIPAA (the Health Insurance Portability and Accountability Act 1996) is someway, though they may not be able to explain what it is about. The Act legislates on patient data and protecting patient privacy in the healthcare sector. However, this is just a simple summary of what HIPAA does: in reality, it rules on a wide range of privacy-related issues in healthcare, from defining what sorts of data should be protected to laying out the penalties for failure to safeguard the data. This article aims to explain how HIPAA protects patients and their data.
How is patient data protected?
Before explaining how data should be protected, HIPAA must first outline what protected health information (PHI) is. PHI includes any identifiers or sensitive pieces of information that can be used to identify an individual or leaves them vulnerable to fraud. PHI includes all the information below:
- Telephone numbers
- Addresses or geographical information smaller than the State level (except the first three digits of ZIP code)
- Social Security numbers
- Fax Numbers
- Email addresses
- Medical records
- Health insurance numbers/beneficiary numbers
- Account numbers (e.g. bank account)
- Certificate or license numbers
- Vehicle license plates or other identifiers
- Device serial numbers
- URLs associated with the patient
- IP addresses
- Biometric identifiers (e.g. finger, retinal and voice prints)
- Photographs or video footage
Under HIPAA, all of these pieces of information must be protected by the safeguards outlined in the Security Rule. The Security Rule lists a number of measures that must be in place to protect data. The safeguards are defined as follows:
- Administrative safeguards: clear reporting mechanisms, assignment of security personnel, PHI access management, regular training courses, yearly (or more frequent) audits
- Physical safeguards: clear desk policies, security guards, locking desks, facility access restrictions
- Technical safeguards: encryption, transmission security, two-factor authentication
Each of these address a different aspect of security threats to patient data and all must be in place for an organization to be HIPAA-compliant. To ensure that these are in place, the OCR conducts regular audits that assess an organization’s approach to protecting data and enforcing HIPAA. If the OCR discovers at any point during these audits that an organization fails to implement a safeguard, or otherwise adhere to HIPAA, they issue a corrective action plan (CAR). In many cases, a financial penalty will be levied against the organization – particularly if the breach is severe or persistent. The last few years have seen multi-million dollar fines be issued for breaches that were the result of willful ignorance or negligence by healthcare organizations.
HIPAA takes a multifaceted approach to protect patient data. By having a requirement that all employees are trained in HIPAA-compliance, it ensures that patient privacy is at the forefront of people’s minds and also reduces the incidence of human error. Additionally, the fines act as a deterrent for any organization looking to “cut corners” and not ensure every safeguard necessary to protect data is in place.