FREE TRIAL
Login

What is covered by the HIPAA Privacy Rule and the exclusions?

5 min read

Posted On April 9, 2021

What Is Not Covered by the HIPAA Privacy Rule?

diagram classifying a phi under the HIPAA Privacy Rule

Part of the Health Insurance Portability and Accountability Act (HIPAA), the HIPAA Privacy Rule was first enacted into law in 2002. The Rule applies to all HIPAA covered entities. As outlined by the Department of Health and Human Services (the HHS Office), this includes health plans, health care clearing houses, and any health care provider who transmits health information in electronic form in connection with transactions for which HHS has adopted standards under HIPAA.

In addition, the HIPAA Privacy Rule applies to third-party service providers who perform certain functions or activities on behalf of a covered entity that involves the use or disclosure of individually identifiable health information. These third parties are generally referred to as business associates.

The overarching goal of the HIPAA Privacy Rule is to protect the confidentiality of patients and their medical records – while still allowing covered entities to exchange health care data securely as required. 

Most, but not all information is directly covered by the HIPAA Privacy Rule. So, let’s break down precisely what you need to know and do to ensure your patients’ health information is protected and that you comply with the HIPAA Privacy Rule.

DOWNLOAD YOUR FREE HIPAA COMPLIANT COMMUNICATIONS CHECKLIST

What Information Is Covered Under the HIPAA Privacy Rule?

Individually identifiable health information is any information that a covered entity stores that can be used to personally identify an individual. This information is covered under the HIPAA Privacy Rule and is known as protected health information (PHI). 

Methods to de-identify health information under the HIPAA Privacy Rule

(Image source: totalhipaa.com)

Importantly, as individually identifiable information is often accessed by insurance providers and clearing houses for billing purposes, PHI includes not only names and addresses, but also things like credit card information and vehicle registration plate numbers that these bodies often receive from another entity.   

In addition, videos and images that contain individually identifiable information (e.g., a photograph of a patient’s wound from which the identity of the patient can be determined by a distinguishing feature) are also considered PHI. 

In all, there 18 specific individual identifiers the HIPAA Privacy Rule covers. When health information contains one or more of the following identifiers, that information becomes PHI:

  1. Names
  2. Addresses
  3. Dates relating to an individual (date of birth, date of death, etc.) 
  4. Telephone numbers
  5. Vehicle identifiers
  6. Fax numbers
  7. Device identifiers and serial numbers
  8. Email addresses
  9. Web URLs
  10. Social security numbers
  11. IP addresses
  12. Medical record numbers
  13. Biometric identifiers
  14. Health plan beneficiary numbers
  15. Full-face photographs and any comparable image
  16. Account numbers
  17. Any other unique identifying number, characteristic, or code
  18. Certificate/license numbers

In short, as outlined by the HHS, individually identifiable information is any information or democratic data that relates to:

  • The individual’s past, present or future physical or mental health condition
  • The provision of health care to the individual
  • The past, present or future payment for the provision of health care to the individual

What Information Is Not Covered Under the HIPAA Privacy Rule?

Certain information and disclosures of PHI are excluded from the HIPAA Privacy Rule. These are as follows:

Health Information in Employment Records

The HIPAA Privacy Rule does not apply to employment records – even when those records contain health and other medical information. However, should an employee become a patient, then the HIPAA Privacy Rule applies. 

Health Information in Education Records

Health information contained in education records are excluded from the HIPAA Privacy Rule when they are subject to, or defined in, the Family Education Rights and Privacy Act (FEPRA). 

Health Information Pertaining to a Person Who Has Been Deceased for Over 50 Years

Information on a person who passed away more than 50 years ago is not considered PHI under HIPAA. 

De-Identified Health Information

De-identified health information is health information that neither identifies nor provides a reasonable basis for identifying an individual. There are two ways to de-identify information – either via a formal determination by a qualified statistician, or the removal of all 18 specified identifiers of the individual and the individual’s relatives, as outlined by the HHS and listed above.

deidentification_fig_1(Image source: hhs.gov)

Storing and Protecting PHI 

In order to protect your patients’ PHI in accordance with the HIPAA Privacy Rule, covered entities must put in place adequate safeguards to ensure this information is not used or disclosed improperly. A major part of this is the “Minimum Necessary” rule, which stipulates that disclosures of PHI must be limited to the minimum necessary to accomplish the intended purpose. 

In addition, covered entities must put policies and procedures in place to limit who can view and access PHI. They must also provide training programs for employees about how to protect medical records and other health and individually identifiable information. 

Furthermore, all business associates must put in place adequate safeguards to protect PHI and ensure they do not use or disclose health information improperly. 

This has implications on where and how you store your PHI. For example, if you store PHI with a cloud storage provider, that provider must sign a Business Associate Agreement (BAA) with you and maintain full compliance with HIPAA.

As such, it is crucial covered entities utilize the services of a specialist cloud storage provider like Central Data Storage. Certain popular cloud storage service providers such as WeTransfer and Apple iCloud will not sign a BAA with HIPAA covered entities. Others, like Dropbox and Google, do not provide HIPAA compliant cloud storage solutions by design – meaning it is down to you to configure the system to ensure you meet the requirements of the HIPAA Privacy Rule. 

At Central Data Storage, we provide cloud-based data storage, backup and recovery solutions that comply with HIPAA for professionals in the health care industry. We make it our business to make sure our clients are in full compliance with the HIPAA Privacy Rule, the HIPAA Security Rule and all other data protection regulations. Contact our friendly team today. Call 1-888-907-1227 or email info@centraldatastorage.com.

New call-to-action