In the last post, we started the discussion of data governance and its relation to the protection of personally-identifiable data attributes. But what are the data attributes that are covered under the HIPAA Privacy Rule? A review of the Privacy Rule itself, which is incorporated into the Code of Federal Regulations (CFR) §164.514(b)(2)(i), shows eighteen data elements that are to be treated with special care:
http://www.hipaasurvivalguide.com/hipaa-regulations/164-514.php
- Names;
- All geographic subdivisions smaller than a State
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code
Looking at this list, I have two particular thoughts about the managed and control of policies regarding protection of these data elements. The first is a general one about the limitations of use of these data element values versus protection. For example, a helath insurance company wants to send en explanation of benefits (EOB) to a covered individual, so they print out a copy of the EOB, place it in an envelope, address the envelope, and mail it. However, the address on the envelope itself contains identifiable values selected fro among the protected 18, namely name and geographic subdivision that is smaller than a state. From one perspective, this is exposure of PHI, but on the other, it is a necessity of conducting business.
The second thought is that the law formalizes the list of eighteen but what happens when there are personally identifiable data elements and values that are not among the protected 18? AN example is a Twitter handle, which is not covered as either a URL or IP address. Fortunately, it is likely to be covered under the final item (other unique identifying number, characteristic, or code), but if that last one covers almost everything, what do you need the enumeration of the previous 17 for?
Nonetheless, the fact that these data elements are likely to be widely distributed among a provider’s or a payer’s application environment signals some potential challenges in ensuring that these values are actually protected.
