Under some circumstances, HIPAA allows for some of your protected health information to be shared without your permission. Your PHI may be shared without your authorization in an emergency situation -- including emergency medical treatment, but also in the event of bioterrorism or any public health threat. Exceptions to HIPAA also include instances such as public health surveillance (such as collecting information for local flu reports), investigations (such as an emergency medical center reporting a gunshot wound) and research -- even in some health care situations such as interventions [source: CDC]. This information is collected into what is called a "limited data set" (LDS); limited data sets include limited yet personal information about you: your age (in years, months, days or hours), relevant dates (including your date of birth and date of death, and also admission and discharge dates, if applicable) and your basic geographic data (zip code or city and state of residence).
The list of information that isn't allowed in a limited data set is much greater. Under the Privacy Rules of HIPAA the following 16 identifiable pieces of information can't be included in an LDS: names, Social Security numbers, physical addresses (street addresses) and phone numbers (including fax numbers), e-mail addresses, URLs and IP address numbers, vehicle identifiers (including serial numbers and license plates), as well as full-face photos (or any comparable images) and biometric identifiers (such as your fingerprints). Additionally, no account numbers, medical records numbers, health plan beneficiary numbers, certificate license numbers nor any device identifiers (including serial numbers) can be included in a limited data set [source: Johns Hopkins Medicine].
Despite these HIPAA rules in place regarding our medical records, 83 percent of Americans still have privacy and security-related concerns when it comes to their medical records, and nearly 70 percent don't want to have their health information digitized, period [source: Xerox]. So what happens when those fears are validated -- what happens when there's a breach?
If or when a PHI breach does happen, which is often the result of computer theft, according to the Breach Notification Rule, the affected patient (or patients) must be notified, and the incident reported to the Secretary of the U.S. Department of Health & Human Services (HHS). Similarly, if an individual wants to report a privacy violation, they can report the breach to either the covered entity (or business associate) responsible or to the HHS -- or both. Depending on the circumstance, HIPAA violations may result in civil penalties such as fines (called civil money penalties) or in criminal penalties that include not only fines but imprisonment.