HIPAA Patient Identifiers Demand Strict Compliance
Are you managing (and protecting) the 18 HIPAA patient identifiers outlined in the the Health Insurance Portability and Accountability Act? HIPAA regulations put a premium on protecting patient’s medical information. The privacy rules in the act protect anything that is considered “individually identifiable health information.” This information is called PHI (Protected Health Information).
It encompasses anything that relates to someone’s past, present, or future physical or mental health condition, the healthcare provided (or considered) for the individual, and any payments for healthcare.
HIPAA Patient Identifier
The act details specific HIPAA patient identifiers that need to be safeguarded. It limits disclosure of this protected health information to maintain confidentiality and integrity. The 18 specific HIPAA patient identifiers that need to be protected are:
- Names (Full names, Last names, or Initials)
- All geographical subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Phone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
HIPAA Record Retention
The privacy rules within HIPAA mandate that organizations take appropriate administrative, technical, and physical steps to safeguard the information. As long as the information is maintained, the data — and the privacy of the individuals — must be kept protected.
The federal act does not mandate a HIPAA record retention period specifically for medical records. This is left up to state laws, which can vary greatly. In North Carolina, for example, hospitals need to maintain patient records for 11 years after discharge. Hospitals need to keep the records for seven years after discharge in Florida, but only five years in Nevada. There may be different state rules for physicians, research facilities, and for the treatments of minors.
HIPAA Risk Analysis
The security rules of HIPAA require healthcare providers to “evaluate risks and vulnerabilities in their environments and implement reasonable and appropriate security measures.” This means doing HIPAA risk analysis on a consistent basis and taking pro-active steps to anticipate threats or vulnerabilities and mitigate potential breaches.
The Office of the National Coordinator for Health Information Technology (ONC) has created a HIPAA Security Risk Assessment (SRA) Tool to help with compliance.
The Federal Information Security Modernization Act of 2014
The Federal Information Security Modernization Act of 2014 puts another layer of security for federal information systems. In addition to providing additional requirements for maintaining security for any entities doing business with federal entities, it includes doing periodic risk assessments, testing of security procedures, and reporting results.
As part of the Federal Information Security Modernization Act of 2014, providers are also required to notify agencies of any major security breaches within seven days.
Compliance In A Connected World
When it comes to compliance, your information and communications systems have to be designed, managed, and monitored. In today’s hyper-connected world, this can be challenging. With the increasing use of mobile devices in healthcare, it means one single individual user or device can put you at risk for disclosure of protected information.
When it comes to security, 8x8 provides reliable and compliant cloud solutions at a demanding level rarely seen by other cloud providers. Don't take your chances with a subpar cloud-based telecom system. Call 1-866-879-8647 or fill out our form online to request a no-obligation quote from an 8x8 Product Specialist.