Under some circumstances, HIPAA allows for some of your protected health information to be shared without your permission. Your PHI may be shared without your authorization in an emergency situation -- including emergency medical treatment, but also in the event of bioterrorism or any public health threat. Exceptions to HIPAA also include instances such as public health surveillance (such as collecting information for local flu reports), investigations (such as an emergency medical center reporting a gunshot wound) and research -- even in some health care situations such as interventions [source: CDC]. This information is collected into what is called a "limited data set" (LDS); limited data sets include limited yet personal information about you: your age (in years, months, days or hours), relevant dates (including your date of birth and date of death, and also admission and discharge dates, if applicable) and your basic geographic data (zip code or city and state of residence).
The list of information that isn't allowed in a limited data set is much greater. Under the Privacy Rules of HIPAA the following 16 identifiable pieces of information can't be included in an LDS: names, Social Security numbers, physical addresses (street addresses) and phone numbers (including fax numbers), e-mail addresses, URLs and IP address numbers, vehicle identifiers (including serial numbers and license plates), as well as full-face photos (or any comparable images) and biometric identifiers (such as your fingerprints). Additionally, no account numbers, medical records numbers, health plan beneficiary numbers, certificate license numbers nor any device identifiers (including serial numbers) can be included in a limited data set [source: Johns Hopkins Medicine].
Despite these HIPAA rules in place regarding our medical records, 83 percent of Americans still have privacy and security-related concerns when it comes to their medical records, and nearly 70 percent don't want to have their health information digitized, period [source: Xerox]. So what happens when those fears are validated -- what happens when there's a breach?
If or when a PHI breach does happen, which is often the result of computer theft, according to the Breach Notification Rule, the affected patient (or patients) must be notified, and the incident reported to the Secretary of the U.S. Department of Health & Human Services (HHS). Similarly, if an individual wants to report a privacy violation, they can report the breach to either the covered entity (or business associate) responsible or to the HHS -- or both. Depending on the circumstance, HIPAA violations may result in civil penalties such as fines (called civil money penalties) or in criminal penalties that include not only fines but imprisonment.
Author's Note: How does HIPAA compliance affect data sharing?
Keeping your health information safe is like keeping your Social Security number safe: In the wrong hands it can lead to identity theft -- or when it comes down to curing what ails you, improper treatment because someone else has hijacked your file. So the next time you're visiting your doctor (or hospital or pharmacy), don't just set aside the HIPAA brochure given to you during your visit; that paper contains important information about how your medical records are kept safe.
More Great Links
- American Medical Association (AMA). "HIPAA: Health Insurance Portability and Accountability Act." Sept. 23, 2013. (Oct. 13, 2013) http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act.page?
- American Medical Association (AMA). "HIPAA privacy and security toolkit: Helping your practice meet new compliance requirements." 2013. (Oct. 13, 2013) http://www.ama-assn.org//resources/doc/washington/hipaa-toolkit.pdf
- Association of State and Territorial Health Officials (ASTHO) -- Legal Preparedness Series: Public Health & Schools Toolkit. "Health Insurance Portability and Accountability Act Privacy Rule--Fact Sheet." 2012. (Oct. 13, 2013) http://www.astho.org/uploadedFiles/Programs/Preparedness/Public_Health_Emergency_Law/Public_Health_and_Schools_Toolkit/06-PHS%20HIPAA%20FS%20Final%203-12.pdf
- Johns Hopkins Medicine. "Definition of Limited Data Set." Jan. 2005. (Oct. 13, 2013) http://www.hopkinsmedicine.org/institutional_review_board/hipaa_research/limited_data_set.html
- Levin, Adam. "Making Your Medical Records Safer." ABC/Good Morning America. Oct. 13, 2013. (Oct. 13, 2013) http://gma.yahoo.com/making-medical-records-safer-113101752--abc-news-topstories.html
- Partners in Human Research Committee. "Limited Data Sets in Research." (Oct. 13, 2013) http://healthcare.partners.org/phsirb/limdata.htm
- Substance Abuse and Mental Health Services Administration (SAMHSA). "Federal Initiatives Related to Data Sharing." (Oct. 13, 2013) http://www.samhsa.gov/co-occurring/topics/data/data-sharing.aspx
- U.S. Department of Health and Human Services. "Health Information Privacy: Guidance Materials for Consumers." (Oct. 13, 2013) http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
- U.S. Department of Health and Human Services: Centers for Medicare & Medicaid Services. "Educational Materials: HIPAA Information Series for Providers." April 12, 2012. (Oct. 13, 2013) http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/EducationMaterials/Educational-Materials.html
- U.S. Department of Health and Human Services: Centers for Medicare & Medicaid Services. "Transaction & Code Sets Standards." April 17, 2013. (Oct. 13, 2013) http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/TransactionCodeSetsStands/index.html
- U.S. Department of Health and Human Services: Health Resources and Services Administration -- Health Information technology and Quality Improvement. "What is a 'covered entity' under HIPAA?." (Oct. 13, 2013) http://www.hrsa.gov
- U.S. Department of Health and Human Services: Office for Civil Rights. "Your Health Information Privacy Rights." (Oct. 13, 2013) http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/consumer_rights.pdf
- Wengrovitz, Anne Guthrie. "Overcoming Barriers to Data-Sharing Related to the HIPAA Privacy Rule." Centers for Disease Control and Prevention. June 2004. (Oct. 13, 2013) http://www.cdc.gov/nceh/lead/policy/hipaa_clppp_june17_final.htm
- Xerox. "Fourth Annual Xerox Survey Shows Slow Progress in Patient Knowledge of Electronic Health Records." Sept. 30, 2013. (Oct. 13, 2013) http://news.xerox.com/news/Xerox-releases-4th-Annual-EHR-Survey