HIPAA policy

SurgicalPerformance is required by Health Insurance Portability and Accountability Act (HIPAA, 1996) to ensure the privacy and security of all “Protected Health Information” (PHI) entered by its users. This Policy is intended to guide the rigorously implementation of all relevant HIPAA-mandated requirements.

What is PHI?

Protected Health Information (PHI) is any individually identifiable health information that can be linked to a particular person. It includes all information that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. This information can relate to:

  • The individual’s past, present or future physical or mental health or condition,
  • The provision of health care to the individual, or,
  • The past, present, or future payment for the provision of health care to the individual.
  • Data elements commonly used to link health information to a specific individual are called the HIPAA identifiers (details provided below).

What is not PHI?

Health information that does not identify an individual or that cannot be used to identify an individual is not PHI, but great rigor is required to confirm that no identifier is present in the dataset. For example, a dataset of vital signs by themselves do not constitute Protected Health Information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier.

The 18 Protected Health Information identifiers

The following data elements have been specifically identified in the regulation as being “identifiers.” When a medical record or result contains or is associated with any of these elements, it may be traceable back to the person associated with that record.

Any document or communication containing health information created, received, maintained, or transmitted by or for any of the HIPAA Covered Components is covered by HIPAA if it includes any of these elements:

  1. 1.Names (including initials only);
  2. 2.All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. 3.All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. 4.Phone numbers;
  5. 5.Fax numbers;
  6. 6.Electronic mail addresses;
  7. 7.Social Security numbers;
  8. 8.Medical record numbers;
  9. 9.Health plan beneficiary numbers;
  10. 10.Account numbers;
  11. 11.Certificate/license numbers;
  12. 12.Vehicle identifiers and serial numbers, including license plate numbers;
  13. 13.Device identifiers and serial numbers;
  14. 14.Web Universal Resource Locators (URLs);
  15. 15.Internet Protocol (IP) address numbers;
  16. 16.Biometric identifiers, including finger and voice prints;
  17. 17.Full face photographic images and any comparable images; and
  18. 18.Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by an investigator to code the data)

PHI and SurgicalPerformance

By design, the PHI data in SurgicalPerformance is limited. The only fields that relate to PHI are:

  • Patient Identifier – We recommend that the Identifier be a unique value for SurgicalPerformance and not relate to an identifier found on other patient data; however some users may use an identifier that could be PHI
  • Date fields – Including birth date
  • Procedure date – This data is not shown in reporting or dashboard views. It is limited to the adding, editing and viewing of record screens and the CSV Export function.

The Difference Between Privacy and Security

HIPAA contains both a Privacy Rule and a Security Rule. Both domains are distinct but go hand-in-hand.

Privacy relates to the right of an individual to control the use of his or her personal information. PHI should not be divulged or used by others without the patient’s consent. The HIPAA Privacy Rule covers the confidentiality of PHI in all forms and formats including electronic, paper and oral. Confidentiality is an assurance that the information will be safeguarded from unauthorized use and disclosure.

Security is a mechanism used to protect the privacy of information. The HIPAA Security Rule focuses on administrative, technical and physical safeguards specifically as they relate to electronic PHI (ePHI). Protection of ePHI data from unauthorized access, alteration, loss or destruction, whether external or internal, stored or in transit, is all part of the HIPAA Security Rule.