On April 14, 2003, the Health Insurance Portability and Accountability Act (HIPAA) standards for the privacy of individually identifiable health information (IIHI) took effect. Healthcare organizations—including providers, insurers, and healthcare clearinghouses—must be fully aware of the effect of this pending regulation.
You can read the official definitions of health information and individually identifiable health information in Part 160 (General Administrative Requirements), Subpart A, Section 103 of the Standards for Privacy of Individually Identifiable Health Information Regulation Text, which is a downloadable PDF file, to find out exactly what IIHI is. For those who aren't familiar with reading cryptic legislation text from the federal register, this can be quite a chore.
In general, it's safe to consider information to be IIHI if it adheres to the following two rules:
- The information explicitly identifies an individual, or you can reasonably infer the identity from the data.
- The information concerns the physical or mental health of the individual, or the information concerns the provision or payment of healthcare to the individual.
Part 164, Subparts A through E in the legislation, outline the procedures for protecting IIHI. This includes the following key points:
- Permitted use and disclosure of IIHI: Part 164 of the legislation details when and if a covered entity may disclose IIHI.
- Minimum Necessary Rule: A covered entity must limit IIHI disclosure to the minimum necessary to accomplish the intended purpose for the disclosure.
- Incidental disclosure.
- Disclosure based on agreed upon restrictions.
- Disclosure of de-identified health information.
- Rules regarding disclosure to business associates.
- Rules covering the disclosure of deceased individuals.
- Disclosure to compliant representatives (parents, court-appointed guardians, etc.).
- Rules covering secure confidential communications.
- Rules regarding disclosure notice.
- "Whistleblower" protection.
Compliance includes controlling nonelectronic access
If you're responsible for the compliance of information systems containing IIHI, you must perform a comprehensive review of all data systems within your organization. This includes a review of access to all databases, file systems, applications, and electronic communications.
This legislation affects e-mail, automated voice or text messaging, human resource Word documents, insurance claims, employee benefits, marketing campaign databases, all health-related applications, accounting or billing systems, any other system that could house IIHI, and any third-party or business affiliate application or service (outsourced systems, ASPs, etc.).
You must limit both physical and electronic access to those who can provide a compliant business need to such information. Your organization must establish and adhere to a specified comprehensive policy for the securing of IIHI, which must be readily available on request. Organizations will also be required to identify individuals with the responsibility and accountability of ensuring that the organization adheres to such a compliant policy.
IT administrators often focus on the electronic disclosure of IIHI to the exclusion of the unattended disclosure of physical documents. But you must also consider paper medical records, claims, referral authorizations, face sheets, and other such documents.
As with all HIPAA regulations, the privacy standards are subject to modification on an annual basis. In fact, this already occurred in 2002, and the modifications include disclosure of IIHI for pharmacy and other identified entities.
In addition, although the legislation is very specific on certain rules, after the legislation takes effect, it will test other compliance acceptance. One good example will be the clarification of what "reasonable basis" signifies in identifying an individual. For instance, is a document containing health information and an individual’s street address enough to consider it identifiable? Rest assured, as with all healthcare issues, the pressure will be on the health industry to justify the disclosure.
This article originally appeared in TechRepublic’s Healthcare IT TechMail.