What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law stating that the patient has control of his or her protected health information (PHI). A patient’s PHI includes demographic data that relates to:
- His or her past, present or future physical or mental health or condition
- The provision of healthcare to the individual
- The past, present or future payment for the provision of healthcare to the individual
While patients are free to publicize their medical condition or experience with a provider, none of this information can be released by the provider without consent of the patient—and even then, healthcare providers are strongly urged to educate patients about the associated risks.
There is, however, an exception to that rule: The patient’s PHI can be used for healthcare operations. For example, it can be shared internally from a hospital to a physician, from a physician to a hospital and to payment companies for insurance-related matters. The PHI cannot go outside of that circle without the consent of the patient.
In order to use or disclose patients’ PHI without obtaining consent, the information must be de-identified. HIPAA lists 18 categories of identifying information that must be removed from a record or patient story in order for it to be considered de-identified. They include:
- Basic information: names, addresses, phone numbers and social security numbers
- Dates: birth dates, admission dates, discharge dates and dates of death
- Administrative details: medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers (license plates) and serial numbers, URLs and IP addresses
- Other identifiable information: finger and voice prints, full-face photography and any other unique identifying number, characteristic or code
The latter is often the most difficult to comply with, now that significant amounts of personal information is available online. It’s not as simple as checking identifiers off the list, and information can still be considered identifiable if there’s a way to figure out who the patient is—even if all 18 have been removed.
Health plans, healthcare clearinghouses and any healthcare provider that transmits health information in electronic form—including claims, benefit eligibility inquiries and referral authorization requests—are required to comply with HIPAA guidelines.
Just like the US, healthcare organizations in select provinces in Canada must also adhere to specific legislation. Ontario’s Personal Health Information Protection Act (PHIPA) provides a similar set of rules for the collection, use and disclosure of PHI. The rules apply to all health information custodians (HICs) operating within Ontario and to any individuals or organizations that receive PHI from those HICs, including information technology service providers.
Similar to HIPAA, PHIPA protects any information related to the individual’s physical or mental health, including family health history. It also protects information related to the type and length of care received, the donation of body parts or substances, the individual’s substitute decision-maker and any other information about an individual that’s included in a record containing PHI.
While similar in context, the two regulations have some significant differences. HIPAA, for example, relies heavily on methods, while PHIPA focuses more on objectives. PHIPA also uses more general terms, such as “reasonable steps,” while HIPAA describes specific required safeguards for PHI.