“Identify theft is not a joke, Jim. Millions of families suffer every year.” – Dwight Schrute. Remember this iconic line from The Office? While the TV show meant to ridicule his social awkwardness, this statement is very true in real life.
Patient health information is valuable in the black market and can be used to extract information on the individual it belongs to. This has significantly increased data theft cases in the medical industry – making it the top target for breaches.
To curb this, the Health Insurance Portability and Accountability Act (HIPAA) laid down guidelines around specific attributes of patient data that can be used to identify an individual, known as HIPAA identifiers.
Keep reading to learn what a HIPAA identifier is, the 18 HIPAA identifiers, and the rules around it.
What are the HIPAA identifiers?
HIPAA identifiers or personally identifiable information (PII) refers to any data in a medical record that can be used to identify an individual. Healthcare organizations or service providers use, create, or disclose these identifiers during the course of treatment.
HIPAA identifiers may contain direct or quasi-identifiers. It can be in electronic format, on paper, or another medium.
Passports or social security numbers are direct identifiers – these can be used to identify a person directly, and more than one individual does not possess the same direct identifier.
Race, gender, or name are examples of quasi-identifiers. You can combine two or more of these data to identify an individual.
When PII is used in conjunction with identifiers that include mental health, physical health condition, or transaction for health care, it becomes protected health information (PHI). If you are a HIPAA-covered entity (CE) or Business Associate (BA), you must ensure the security and privacy of PHI.
HIPAA has additional standards to protect PII from re-identification. If a code replaces an identifier, it cannot be obtained from information related to the individual. It is also not permissible to disclose the method used to obtain the codes. For example, you cannot use the initials of a person’s name to code their data since the initials are obtained from the name.
List of HIPAA identifiers
There are a total of 18 identifiers in HIPAA. These are:
- Geographical location: This includes all geographic subdivisions smaller than a State. Includes street address, city, county, precinct, zip code, and their equivalent geocodes. The initial three digits of a zip code are an exception as per the data from the Bureau of the Census:
- The geographic unit contains more than 20,000 residents when you combine the same three initial digits.
- When the initial three digits of a zip code for such geographic units that contain 20,000 or fewer residents change to 000.
- Date: Includes all elements of date except the year related to an individual. Includes
- Birth date
- Admission date
- Discharge date
- Date of death and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers. Includes license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full-face photographic images and any comparable images and
- Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c)
What is not a HIPAA identifier?
De-identified data or health information that cannot be used to identify an individual or provide a reasonable base to identify them is not a HIPAA identifier.
Health information that does not fall within the 18 identifiers and has a very low chance (as determined by an expert using a statistical or scientific method) of being used individually or in combination with others to identify a person is considered de-identified data.
HIPAA laws do not apply to de-identified data.
Uses of HIPAA identifier
HIPAA identifiers play a crucial role in the healthcare business. Workers need easy access to these to offer quality care services.
In a bid to balance out patient rights and to enable efficiency for covered entities, HIPAA compliance details some circumstances when it is permissible to use and disclose PHI without patient authorization. These include case when you:
- Conduct quality assessment and improvement activities
- Develop clinical guidelines
- Conduct patient safety activities as per applicable regulations
- Conduct population-based activities to improve health or reduce healthcare cost
- Develop protocols
- Conduct case management and care coordination
- Contact healthcare providers and patients to enquire about treatment alternatives
- Review qualifications of health care professionals
- Evaluate the performance of healthcare providers or health plans
- Conduct training programs or credentialing activities
- Support fraud and abuse detection and compliance programs
Remember the line from The Office? If you own a healthcare business or provide service to one, identity theft doesn’t just make families suffer. It makes them sue.
Thankfully, there is a way to prevent this mess in the first place. The Sprinto solution puts rules and controls in your system to secure PII to allow access only to authorized people. It alerts you when someone takes an action that can land you in legal trouble. Sprinto also monitors the system for risky behavior that protects your PII as well as employee data.
Talk to us to know more about how you can secure your data and avoid non-compliance.
What is considered a patient identifier?
Data such as name, address, birth date, social security number, and more that can be used to identify a patient is called a patient identifier.
What are the two most important patient identifiers?
Two main patient identifiers recommended to be used for every interaction include the full name and date of birth or medical identification number.