HIPAA (Health Insurance Portability and Accountability Act) for us at Catholic Charities goes beyond health information. For us it is basic, overall confidentiality. Information about clients/participants/guests (patients in a healthcare setting) should not be shared except on a ‘need to know’ basis. If you and I are working with the same client and I have information that is important for you in providing services for that client, let’s chat privately. If not, keep that information to yourself.
Any of the information in the list below is to be considered ‘confidential information’ (Protected Health Information in a healthcare setting). It should not be visible on your computer screen, on your desk, or heard in conversation. Any documentation containing this information needs to be shredded rather than thrown in the garbage to avoid a potential breach of information. Private information needs to remain private.
The 18 HIPAA Identifiers
The HIPAA privacy rule sets forth policies to protect all individually identifiable health information that is held or transmitted. These are the 18 HIPAA Identifiers that are considered personally identifiable information. This information can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. When personally identifiable information is used in conjunction with one’s physical or mental health or condition, health care, or one’s payment for that health care, it becomes Protected Health Information (PHI).
- Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image - Photographic images are not limited to images of the face.
- Any other characteristic that could uniquely identify the individual
If a communication contains any of these identifiers, or parts of the identifier, such as initials, the data is to be considered “identified”. To be considered “de-identified”, ALL of the 18 HIPAA Identifiers must be removed from the data set. This includes all dates, such as surgery dates, all voice recordings, and all photographic images.