|  | Healthcare Industry | General Healthcare Industry

HIPAA Individually Identifiable Information

HIPAA, or the Health Insurance Portability and Accountability Act, became law in 1996. HIPAA covers many aspects of health care, including the ability to maintain insurance coverage when changing jobs, health care fraud and abuse, medical billing standards for electronic data interchange and the privacy and security of patient information. Individually identifiable health information falls under the privacy portion of HIPAA.

  1. HIPAA Title II

    • Divided into several different parts, or "Titles," HIPAA covers different topics. The "Administrative Simplification" portion of HIPAA's Title II covers the privacy and security of protected health information, or PHI. The "Privacy Rule" portion covers how to share and release PHI in any format, while the "Security Rule" portion covers issues for electronic protected health information, or e-PHI. PHI is made up of individually identifiable health information.

    Definition of IIHI

    • Individually identifiable health information, or IIHI, means medical patient information that allows others to trace the information back to an individual. IIHI includes part or all of the following demographic information: name or partial name, address, Social Security number, Zip code, birth date, phone number, diagnosis or mental health status, employer, relatives, billing information or any other combination of information used to identify a patient.

    De-Identified Information

    • HIPAA deems removal of IIHI as "de-identified" information. This means that any patient demographics or other information that may identify the patient in any way no longer appears in a copy of the record. This occurs for various reasons such as to use the information in case studies or for research purposes. If the patient health information becomes "de-identified," then the PHI becomes eligible for use to teach students and perform research without a patient's authorization or consent.

    Authorization versus Consent

    • Consent allows health care providers to share patient information in daily health care operations. For example, a patient making an appointment with her family practitioner implies consent for treatment. Authorization means permission given, by the patient, to disclose her protected health information for reasons other than normal health care operations. Authorizations must include written permission as to the exact information released. For example, a patient participating in a hospital marketing program where the PHI is used on her illness will first complete an authorization.

    Release of IIHI

    • In some cases, IIHI release occurs without a patient's authorization or consent. HIPAA provides five specific occasions when release of IIHI may occur without authorization: 1) When a patient wants to review her own information, 2) During normal health care business, known as "treatment, payment, operations," or TPO, 3) For inclusion in a hospital or health care directory so family members can locate patients, 4) When incidental, or accidental, disclosures occur and 5) When disclosure of the information will benefit the public, such as legal situations and to help prevent disease outbreaks. HIPAA also allows for another permitted use and disclosure of PHI without authorization. According to HIPAA, a patient's de-identified information may be used--without authorization--as needed by public health and research.

General Healthcare Industry - Related Articles