Patient data must be protected by independent physicians, whether that information is contained in paper files or in electronic health records (EHRs). However, it can be confusing to both patient and provider as to exactly what constitutes protected patient data. HIPAA, the Health Insurance Portability and Accountability Act, is a federal law that governs health-related transactions and procedures to protect patient health information and patient privacy.
What information is protected and who is responsible for protecting it?
The HIPAA law refers to “covered entities” as those responsible for protecting patient data. Health and Human Services (HHS) states that “every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity.” Further, HHS defines “health care providers” as all “providers of services (e.g., institutional providers such as hospitals) and providers of medical or health services (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.”
Protected health information (PHI) is essentially identifiable patient information. Anything that can identify the specific patient on paper, in an EHR, or when discussed verbally, is illegal for the independent physician to disclose without the patient’s explicit permission. HIPAA’s Privacy Rule “protects all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.”
Specifically, the individually identifiable health information that is considered PHI includes information that identifies:
• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual.
Individually identifiable health information also includes many common identifiers such as the patient’s name, address, birth date, and Social Security Number that are illegal for the independent physician to disclose.