HIPAA Privacy Laws

The Objectives of the HIPAA Privacy Laws

The HIPAA privacy laws were first enacted in 2002 with the objective of protecting the confidentiality of patients´ healthcare information without handicapping the flow of information that was required to provide treatment. The HIPAA privacy laws control who can have access to Protected Health Information (PHI), the conditions under which it can be used, and who it can be disclosed to.

The HIPAA privacy laws not only apply to healthcare providers and the organizations they work for. The laws apply to any entity that may have access to healthcare information about a patient that – if it were to fall into the wrong hands – could present a risk of harm to the patient´s finances or reputation. Therefore health insurers, healthcare clearing houses and employers that provide in-house health plans also have to comply with the HIPAA privacy laws.

The Information Protected by the HIPAA Privacy Laws

The information protected by the HIPAA privacy laws is known as “Individually Identifiable Health Information”. This is any information that can reveal a patient´s identity in respect of:

the patient´s past, present or future physical or mental condition,
the provision of healthcare treatment and healthcare services to the patient, or
the past, present, or future payment for the provision of healthcare to the patient.

Because the protected data includes payment information, individually identifiable health information not only includes data such as names, date of birth, Social Security numbers and telephone numbers, but also car registration numbers, credit card information, and even examples of a patient´s handwriting.

It is important for covered entities to note that the HIPAA privacy laws not only apply to data saved in a written format. Images and videos that contain any individually identifiable health information are also protected by the HIPAA privacy laws.

If, for example, a healthcare provider took a photo of a patient´s wound – and the identity of the patient could be established by any distinguishing feature – the confidentiality and disclosure of the photograph would be subject to the conditions within the HIPAA privacy laws.

PHI: Who, When and How?

The HIPAA privacy laws concerning PHI apply to every covered entity and every third party service provider (or “Business Associate”) with whom the covered entity does business. These are the only parties who should have access to PHI unless authorization is given by the patient for it to be disclosed for research, marketing or fundraising purposes.

Disclosure of PHI for the purposes of treatment, payment or healthcare operations must be contained within a covered entity or Business Associate – unless the disclosure is required by law, is in the public´s best interests or in the patient´s best interests (for example, if the patient is a victim of child abuse, neglect or domestic violence).

Even then, the HIPAA privacy laws stipulate that covered entities should adhere to the “Minimum Necessary Rule” – a rule that states the disclosure of PHI should only be the minimum necessary to achieve the stated purpose. Each request for disclosure should also be reviewed on a case-by-case basis, rather than give access to PHI to a Business Associate because they have been allowed access previously.

The Unauthorized Disclosure of PHI

Each covered entity is required to implement safeguards to prevent the unauthorized disclosure of PHI. These safeguards will vary depending on the size of the covered entity and the nature of healthcare it provides, but the penalties for failing to safeguard the integrity of PHI can be extremely high. Healthcare organizations that deliberately or negligently fail to adhere to HIPAA privacy laws can be fined up to $50,000 per offence per day.

According to the Department of Health and Human Resources´ Office for Civil Rights, the most common reason for the unauthorized disclosure of PHI is the loss or theft of personal mobile devices and portable media devices (laptops, Smartphones and USB flash drives). For this reason, many healthcare organizations have chosen to implement secure messaging solutions as appropriate replacements for unsecure channels of communication such as SMS and email.

Secure messaging solutions encrypt PHI so that it is indecipherable and unusable should it be intercepted in transit, and they also have security mechanisms to ensure that PHI cannot be accidently or maliciously sent outside of a covered entity´s private communications network or copied to a USB flash drive. In the event that a personal mobile device is lost or stolen, administrative controls exist to remotely delete any PHI received by the device and lock the app used for secure messaging. These controls also work on desktop computers.

The Benefits of Secure Messaging Solutions

Not only do secure messaging solutions comply with the HIPAA privacy laws, but also the administrative, physical and technical requirements of the HIPAA Security Rule. This means that mechanisms are in place to monitor secure messages and ensure 100% message accountability which, in turn reduces phone tag – the amount of time wasted by healthcare professionals waiting for confirmation that a message has been received or a reply.

A recent article in CNN Money reported that phone tag costs the US healthcare industry more than $7 billion each year and that the implementation of secure messaging solutions could accelerate healthcare processes such as hospital admissions and patient discharges. Separate studies have also shown that secure messaging accelerates communications, fosters collaboration and, when integrated with an EHR, reduces patient safety incidents and medication errors.

With secure messaging, the information protected by the HIPAA privacy laws remains protected, only authorized users gain access to PHI and healthcare providers can communicate with the same speed and convenience as SMS or email, but without risking the unauthorized disclosure of PHI. Secure messaging satisfies the conditions of the HIPAA privacy laws about who can have access to PHI, the conditions under which it can be used, and who it can be disclosed to.