What is a HIPAA Identifier and How is it Used?
Anwita
Sep 13, 2024“Identify theft is not a joke, Jim. Millions of families suffer every year.” – Dwight Schrute. Remember this iconic line from The Office? While the TV show meant to ridicule his social awkwardness, this statement is very true in real life.
Patient health information is valuable in the black market and can be used to extract information on the individual it belongs to. This has significantly increased data theft cases in the medical industry – making it the top target for breaches.
To curb this, the Health Insurance Portability and Accountability Act (HIPAA) laid down guidelines around specific attributes of patient data that can be used to identify an individual, known as HIPAA identifiers.
Keep reading to learn what a HIPAA identifier is, the 18 HIPAA identifiers, and the rules around it.
What are the HIPAA identifiers?
HIPAA identifiers or personally identifiable information (PII) refers to any data in a medical record that can be used to identify an individual. Healthcare organizations or service providers use, create, or disclose these identifiers during the course of treatment.
HIPAA identifiers may contain direct or quasi-identifiers. It can be in electronic format, on paper, or another medium.
Passports or social security numbers are direct identifiers – these can be used to identify a person directly, and more than one individual does not possess the same direct identifier.
Race, gender, or name are examples of quasi-identifiers. You can combine two or more of these data to identify an individual.
When PII is used in conjunction with identifiers that include mental health, physical health condition, or transaction for health care, it becomes protected health information (PHI). If you are a HIPAA-covered entity (CE) or Business Associate (BA), you must ensure the security and privacy of PHI.
Here’s a tool to determine whether you’re a covered entity:
Download Your Covered Entity Decision Making Tool
HIPAA certification has additional standards to protect PII from re-identification. If a code replaces an identifier, it cannot be obtained from information related to the individual. It is also not permissible to disclose the method used to obtain the codes. For example, you cannot use the initials of a person’s name to code their data since the initials are obtained from the name.
List of HIPAA identifiers
There are a total of 18 identifiers in HIPAA. These are:
- Name
- Geographical location: This includes all geographic subdivisions smaller than a State. Includes street address, city, county, precinct, zip code, and their equivalent geocodes. The initial three digits of a zip code are an exception as per the data from the Bureau of the Census:
- The geographic unit contains more than 20,000 residents when you combine the same three initial digits.
- When the initial three digits of a zip code for such geographic units that contain 20,000 or fewer residents change to 000.
- Date: Includes all elements of date except the year related to an individual. Includes
- Birth date
- Admission date
- Discharge date
- Date of death and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers. Includes license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full-face photographic images and any comparable images and
- Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c)
HIPAA identifier under the privacy rule
HIPAA identifiers include sensitive information that can be used to identify a person. However, protecting these identifiers further branches out into privacy and security rules. Primarily, the Privacy Rule focuses on the protection of all forms of Protected Health Information (PHI)—electronic, paper-based, or verbal—while also setting standards for the use and disclosure of the PHI.
HIPAA identifiers under the privacy rule protect individuals’ medical records and other personal health information without disrupting the flow of critical information needed to provide high standards of care.
Here are HIPAA Privacy Rules outlining patient rights concerning their PHI:
- Notice of Privacy Practices (NPP): Patients must receive an NPP upon admission, in a way that’s easy to understand and clearly outlines patient rights and the 18 HIPAA identifiers. It should also explain the permitted and prohibited uses of PHI covered by the entity.
- Ability to request medical records: it states that all patients must be entitled to request medical records that belong to them by completing an authorization form.
- Requesting Amendments to medical records: The HIPAA Privacy Rule also grants patients the right to request corrections of any inaccuracies.
- Parental access to a minor’s medical records: Generally, parents or legal guardians can access the medical records of minors. However, there are specific circumstances where this access is restricted, such as when a minor consents to treatment that doesn’t require parental approval, or a court mandates care.
HIPAA identifiers under the security rule
When it comes to security rules, there is a bigger focus on the protection and administration of information in terms of digital and physical security measures. It primarily applies to electronic Protected Health Information (ePHI), setting standards for securing ePHI created, received, used, or maintained by an entity.
The aim is to protect the confidentiality, integrity, and availability of ePHI through technical, physical, and administrative safeguards.
Here’s what each of these safeguards entails:
- Confidentiality: PHI must only be disclosed when prior authorization from the patient is obtained.
- Integrity: PHI must be accessed only by individuals who require it to perform their job responsibilities.
- Availability: Both organizations and patients should have straightforward access to PHI when needed.
What is not a HIPAA identifier?
De-identified data or health information that cannot be used to identify an individual or provide a reasonable base to identify them is not a HIPAA identifier.
Health information that does not fall within the 18 identifiers and has a very low chance (as determined by an expert using a statistical or scientific method) of being used individually or in combination with others to identify a person is considered de-identified data.
HIPAA laws do not apply to de-identified data.
Uses of HIPAA identifier
HIPAA identifiers play a crucial role in the healthcare business. Workers need easy access to these to offer quality care services.
In a bid to balance out patient rights and to enable efficiency for covered entities, HIPAA compliance details some circumstances when it is permissible to use and disclose PHI without patient authorization. These include case when you:
- Conduct quality assessment and improvement activities
- Develop clinical guidelines
- Conduct patient safety activities as per applicable regulations
- Conduct population-based activities to improve health or reduce healthcare cost
- Develop protocols
- Conduct case management and care coordination
- Contact healthcare providers and patients to enquire about treatment alternatives
- Review qualifications of health care professionals
- Evaluate the performance of healthcare providers or health plans
- Conduct training programs or credentialing activities
- Support fraud and abuse detection and compliance programs
Conclusion
Remember the line from The Office? If you own a healthcare business or provide service to one, identity theft doesn’t just make families suffer. It makes them sue.
Thankfully, there is a way to prevent this mess in the first place. The Sprinto solution puts rules and controls in your system to secure PII to allow access only to authorized people. It alerts you when someone takes an action that can land you in legal trouble. Sprinto also monitors the system for risky behavior that protects your PII as well as employee data.
Talk to us to know more about how you can secure your data and avoid non-compliance.
FAQs
What is considered a patient identifier?
Data such as name, address, birth date, social security number, and more that can be used to identify a patient is called a patient identifier.
What are the two most important patient identifiers?
Two main patient identifiers recommended to be used for every interaction include the full name and date of birth or medical identification number.