Whether you’re a healthcare provider or simply work with them, you have an obligation to protect the information of your patients - and their privacy. Here’s what that involves. Healthcare organizations routinely work with some of the most sensitive data you’ll ever see - information that includes names, addresses, social security numbers, and intricate details about personal health. The sort of stuff that could fetch a tidy profit on the black market.
Not surprisingly, there are some pretty strict regulations around the storage, usage, and protection of this data. In the United States, they fall under something known as the Healthcare Insurance Portability and Accountability Act. It’s a pretty comprehensive set of rules and regulations - far too much for us to cover everything today.
Instead, we’re going to focus on one specific subset of HIPAA - privacy.
In essence, the purpose of HIPAA’s patient privacy rule is to ensure that a patient’s information is freely accessible in all situations where it’s essential to their care, but is otherwise protected. It’s about striking a balance, one which promotes access to information while still protecting the privacy and dignity of the person to whom that information belongs. It’s designed to be both flexible and comprehensive - but with that in mind, you should still familiarize yourself with the basic beats of it.
Information it protects includes…
- Any data related to an individual’s physical or mental health, whether past present or future.
- Any data on care provided to an individual.
- Payment details on said care.
- Any demographic data, including name, address, age, and gender - in essence, any information which could reasonably be used to identify the individual. This includes date of birth and social insurance number.
Excluded information includes…
- Employment records maintained by a covered entity.
- De-identified health information. This is healthcare data which still includes details on treatment and health, but has had all other identifying information removed. It cannot be used to identify an individual.
Note that in the case of protected information, there is a very specific set of circumstances in which it can be used without requiring the authorization or consent of its owner. While you’re still permitted (and in some cases, encouraged) to notify the individual, you are not required to do so under HIPAA. Note that in some of these situations, a user may choose to restrict the use of their data, and you are required to comply.
- As part of treatment, care, or payment.
- As part of efforts to improve quality of care for future patients, and also for medical reviews, audits, legal services, and insurance.
- For the purposes of public interest or benefit activities.
- When the data has been de-identified and is to be used in research, or public healthcare operations.
- As part of a healthcare directory or for notification purposes.
- For law enforcement or judicial purposes.
HIPAA can be confusing and overwhelming at first - but it’s actually a lot simpler than you’d think. In essence, the main thing you need to remember is that you have a duty of care to protect your patient’s data and their privacy. Understand that, and everything else should fall into place.