One critical aspect of the Health Insurance Portability and Accountability Act (HIPAA) involves the protection of personally identifiable health information, as a way of safeguarding an individual’s rights in relation to his or her health situation. Although HIPAA was passed in the 1990’s, it was not until 2002 that a final version of the Privacy Rule was put in place. According to the Health Information Privacy web page at the US Department of Health and Human Services (HHS),
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
“The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”
The protection of privacy extends to information that is deemed to be “individually identifiable health information” which according to 45 C.F.R. § 160.103 is:
“information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.”
The Privacy Rule is intended to set limits on who is allowed to view an individual’s health record. For example, health care providers can see an individual’s health record for the purposes of providing medical treatment. Alternatively, when an individual is involved in a violent crime, some aspects of the health record can be provided to the police to assist in criminal investigation. However, an individual’s health record cannot be provided to a prospective employer and used to determine whether to make an offer or not, nor can it be shared with a marketing company and used for advertising or sales purposes, unless the individual had given written permission.
Safeguarding protected information is a serious matter. And since it involves compliance with policies regarding information and data, it clearly is subject to data governance policies and procedures.