Strike Graph cybersecurity compliance guides

What cannot be shared under HIPAA?

Written by Strike Graph Team | Nov 3, 2022 10:13:33 PM

If you’re pursuing health insurance portability and accountability act (HIPAA) compliance, you probably want to know what information cannot be shared under HIPAA so you don’t make any missteps.  Understanding HIPAA’s guidelines for sharing information puts you on your way to protecting your customers’ privacy, strengthening your trustworthy reputation, and avoiding fines. 

Protected health information (PHI) cannot be shared under HIPAA.

So what exactly is considered PHI according to HIPAA? It’s information that can identify a particular patient, including health records, lab reports, bills, or even verbal conversations. Here are specific examples of both physical and electronic PHI that cannot be shared under HIPAA. 

  • Healthcare claims
  • Documentation of doctor's visits
  • Payment and remittance information
  • Coordination of healthcare benefits
  • Claim status
  • Health claims attachments
  • Enrollment information in a health plan
  • Eligibility information for  health plans
  • Injury reports
  • Personal information generated from premium payments
  • Details from electronic funds transfers (EFT)

The next step is to learn other factors that can transform data into PHI. Learning how to spot this information will make it easier to understand when a document or report is PHI and cannot be shared under HIPAA.  

Identifiers that make data unshareable under HIPAA

Before covering identifiers, it’s important to understand the role of a covered entity and business associate under HIPAA. A covered entity is an organization that transmits protected health information, including health plans and healthcare providers. A business associate is someone who conducts business with a covered entity and has access to this protected health information. Both covered entities and their business associates must be vigilant about what patient information they share.  

When a covered entity or business associate uses an identifier in a patient’s record, the record becomes PHI and cannot be shared under HIPAA. You might be asking yourself, what makes something an identifier? According to HIPAA, an identifier is a word, number, letter, code, image, or any other information that can uniquely identify a specific individual. Covered entities and their business associates typically collect identifiers during billing, assessment, or other healthcare processes. 

Read on to learn common categories of identifiers that make data unshareable by covered entities or business associates under HIPAA. 

Serial and medical record numbers are identifiers.

Serial numbers and medical record numbers are considered identifiers, which can make them unshareable under HIPAA. Here is a quick review of what serial and medical record numbers are. 

A serial number combines numbers and letters to identify an individual, medical document, or device. Serial numbers are commonly found on wearable medical devices, reports, and files used in healthcare settings. On the other hand, a medical record number is a unique code assigned to patients for identification purposes. Since both a serial and medical record number can identify patients and include sensitive information like treatment and diagnosis, HIPAA classifies them as identifiers. This means that as a covered entity or business associate, you cannot share serial or medical record numbers under HIPAA. 

Contact information is an identifier.

A covered entity or business associate cannot share patient contact information under HIPAA. In this case, contact information is considered any data used to locate or communicate with a specific patient. This information includes phone numbers, email addresses, business addresses, residential addresses, employer identification numbers, IPs,  URLs, and more. 

Personal information is an identifier.

It can be a violation for a covered entity or business associate to share personal information considered an identifier with a third party. This includes images, biometrics, names, voice records, signatures, sensitive physical characteristics, health plan beneficiary number, credit information, social security number, account number, and date of birth. 

Vehicle data is an identifier.

HIPAA recognizes vehicle information, such as license plates or vehicle identification numbers, as identifiers. This is true because vehicle details can identify patients uniquely. Because vehicle data are considered identifiers, they cannot be shared by a covered entity or business associate under HIPAA. 

Complete dates are identifiers.

Lastly, HIPAA regards dates relating to an individual's date of birth, admission, surgical procedures, or discharge as a personal identifier. That being said, for a date to qualify as an identifier that cannot be shared, it has to specify the day, month, and year an individual was born or received a medical service. Dates showing only a part of that information do not qualify as PHI since you cannot use them to find a particular patient. This means that full dates cannot be shared under HIPAA, while partial dates can be shared under HIPAA. 

Just as identifiers turn data into PHI for covered entities and business associates, without an identifier, information might not be considered PHI. When a medical record has all identifiers removed, such as names, phone numbers, serial numbers, and physical addresses, it’s not considered PHI. Covered entities and business associates can share these unidentified records under HIPAA. 

You’ve learned how identifiers can turn patient information into PHI that cannot be shared, and next we will explore a few common real-world scenarios to help you understand how to identify PHI that cannot be shared under HIPAA.

Discover how Strike Graph can help you achieve HIPAA compliance, quickly. Schedule a demo today.

 

Classifying when information is PHI and cannot be shared under HIPAA 

Not all healthcare records are classified as PHI. Understanding how sensitive information is stored and used will help you identify when data is considered PHI or not and when it can or cannot be shared under HIPAA. That’s because identifiable health information produced by organizations that are not covered entities is not considered PHI, while identifiable health information originating from covered entities or business associates is considered PHI and cannot be shared. Read on to review specific scenarios of when data are considered PHI or not, determining if they can be shared under HIPAA. 

Data from wearables can be PHI

Health information from wearable devices like blood pressure monitors, smart health watches, biosensors, and ECG monitors might not count as PHI if collected, stored and used by the manufacturer. Why is that? The manufacturers of medical or fitness wearables are not classified as covered entities or business associates under HIPAA. On the other hand, when data from wearables are harvested and stored by healthcare providers, the information is considered PHI and cannot be shared under HIPAA. Simply put, the source of the original wearable data in this case, the manufacturer vs the healthcare provider, determines whether this information can or cannot be shared under HIPAA. 

Employee records can be PHI

Let’s look at this from another angle: employee records. The HIPAA privacy rule does not classify employers as covered entities or business associates. Employer’s employee records are not considered PHI and can be shared with third parties under HIPAA. If the employee records had originated from  a source considered a covered entity instead, then they could not be shared under HIPAA. 

Student records can be PHI

Like employee records, HIPAA does not regulate non-healthcare institutions from collecting or storing students' healthcare information. Learning institutions can share sensitive healthcare information in their possession without breaching HIPAA compliance. The important factor here is whether the information originated from a covered entity or not. For instance, a learning institution cannot demand a student's PHI from a healthcare provider or business association without a student's consent. 

Appointment registers can be PHI

An appointment registered with only a patient's name, telephone, or address does not count as protected health information and can be shared under HIPAA. Nonetheless, the appointment register will become PHI and cannot be shared under HIPAA if a covered entity adds an identifier (like a date of birth) to the record.

Now that you’ve walked through which types of information cannot be shared under HIPAA,  it’s time to learn how to protect that data. 

Protecting PHI under HIPAA

Covered entities must observe the three rules of HIPAA — privacy, security, and breach notification. Covered entities and their business associates must safeguard PHI in specific ways for HIPAA compliance. To ensure data protection, HIPAA recommends keeping PHI records under lock and key, creating data protection policies, training staff on proper data handling, and limiting access to health records. We’ve outlined these procedures for you below.

Conducting timely data security training 

As a covered entity or business associate, your first step in protecting PHI under HIPAA is to implement a rigorous data security training program. In line with the privacy act, you must ensure that all of your staff are educated on HIPAA data security protection before they can handle PHI. It’s important to keep in mind that when there is a policy change or additional risks are introduced, employees will need to pursue further security training. If you are still unsure of when to retrain staff, continue on to see what the Department of Health and Human Services (HHS) recommends: 

    • Routinely reviewing state publications for changes in policies
    • Performing consistent risk assessments to detect possible pitfalls that could lead to violation
    • Conducting refresher HIPAA training at least once a year
    • Requesting IT experts to notify when software upgrades could potentially impact HIPAA compliance 

Producing in-house policies to ensure HIPAA compliance

When handling PHI, you need to have policies in place to ensure the confidentiality, availability, and integrity of sensitive patient information that you collect, store, or transfer. Your policy should include how to maneuver around anticipated threats, how to prohibit the unauthorized use of PHI, and additional safeguards to establish data security compliance. These policies can look different in different organizations. You have the flexibility to produce in-house data security policies that best fit your needs. Keeping an eye out for loopholes will help to ensure compliance. The following are best practices to help you prevent loopholes in your security policies:

    • Assign designated officials to develop and enforce PHI protection and privacy policies.
    • Give access to PHI only when it is necessary.
    • Closely supervise staff handling PHI.
    • Apply sanctions to staff members who violate set policies and procedures.
    • Carry out periodic assessments to identify and solve for new loopholes.

Performing routine risk assessments to protect PHI

When you’re pursuing HIPAA compliance, it’s necessary to perform routine risk assessments. This will enable you to detect, prevent, or correct vulnerabilities that could result in HIPAA violations. While there is no recommended benchmark for what a risk assessment needs to entail, administrators should focus on auditing the integrity of information systems, effectiveness of security safeguards, and impact of potential threats. At the minimum, a reasonable risk analysis should entail:

    • An analysis of central information systems used to create, store, and transfer PHI.
    • An evaluation of potential vulnerabilities and threats. 
    • An analysis of the impact of potential risks. 
    • Implementation of security measures to curb identified risks.
    • Documentation of the security measures put in place.
    • The rationale for choosing the chosen security measures.

You can think of HIPAA risk assessments as an ongoing process designed to help you identify and resolve vulnerabilities. Since the process can be customized to your company, the frequency of these risk assessments can be adapted to the magnitude of risk that your company has. If you are at low risk for violations, you can do the assessment only once in three years, while those with a higher risk should conduct an assessment once a year. Just remember that you must complete a risk assessment directly after upgrading any of your information systems, after experiencing a security breach, or after changing staff members that are responsible for handling PHI. 

Implementing physical safeguards to preserve PHI

When you’re working toward HIPAA compliance, it’s necessary to consider instances where PHI could be physically accessed, modified, or removed without your permission. By implementing security measures known as physical safeguards, you can protect your PHI from unauthorized access or potential physical hazards. These safeguards don’t have to be complicated. They can be simple steps like adding access controls, alarms, surveillance cameras, or locks. Creating authorization policies around who can physically access PHI is another way to ensure compliance. 

Creating technical safeguards to protect PHI

You’ve learned how to physically protect your PHI, which is an important aspect of ensuring HIPAA compliance. It’s also important that you learn how to protect your PHI from digital risks. One way to protect your digital PHI is to establish access controls that provide authorized users with only the minimum amount of PHI required for a particular duty. HIPAA also recommends using the following technical safeguards to ensure data security:

Audit controls: These are ways that you can monitor and record access to your information systems that contain PHI. By providing visibility into who is accessing your PHI and what they’re doing with it, you can discourage the misuse of PHI. You can also use this information to help administrators make an informed decision in the event of an alleged violation. 

Integrity controls: These are automated procedures designed to prevent authorized users from altering or destroying PHI. With automated supervision, your administrators are able to confirm whether PHI was changed or destroyed by a user. Using this technical safeguard can help deter HIPAA data breaches and keep you on track to achieve compliance. 

Transmission security: Data breaches can happen during the transmission of digital PHI. By establishing a security process to safeguard your digital PHI from unauthorized access, modification, or deletion during transmission, you can protect your digital data from this risk. This includes the use of secure messaging, which aims to prevent unauthorized parties from copying, pasting, or downloading sensitive patient information. 

You can also use a technique called web filtering, which is a technology that prevents users from accessing or downloading malware or spyware that could potentially harm PHI. For instance, some spyware can facilitate data phishing, which could share PHI that is not allowed to be shared under HIPAA guidelines. 

Streamline your HIPAA compliance with Strike Graph

Strike Graph assesses your organization’s unique risks, and our multi-framework compliance platform makes it easy to put HIPAA controls in place to ensure you never break trust with your clients. Afterall, when your business involves personal health information, trust is your greatest asset. Ensuring HIPAA compliance is the best way to safeguard your reputation — and avoid costly fines due to HIPAA violations.