Protected health information is patient information that is protected, by law, from unauthorized disclosure. This includes personal information such as age, social security number, date of birth and marital status as well as clinical information such as symptoms, diagnoses, treatment and prognoses. It also includes financial information such as insurance information and payment history. Protection of this private information was created by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Section one of HIPAA's Title II is known as the Privacy Rule. This section of the law states that protected health information may be shared only in certain circumstances. It further stipulates that, when the information is shared, only the minimum required information be shared.
Private health information may be shared in the effort to provide a patient the best possible treatment. For example, a patient who has checked into the hospital for surgery will give the hospital information about her drug allergies. The hospital may share this information with the surgeon and anesthesiologist, even though those professionals are probably independent contractors rather than hospital employees, because they will need it to give the patient the best possible care.
In some cases, sharing of private health information is required by law. In cases of suspected child abuse, the attending physician is required to notify the proper authorities. In some places, hospitals must report certain incidents, such as rape examinations or gunshot wounds, to the police. Occurrences of serious, contagious illness may need to be reported as well.
Health care providers routinely ask patients to sign a "payor" release. This form allows the provider to share necessary information with the patient's insurance provider so that claims can be paid. Many such releases also include language allowing providers to share specific information with collection agencies in the event that the patient fails to pay her portion of the bill.
A patient may also elect to allow a provider to share her protected health information with friends, relatives or other providers. Such election must occur in writing and must specify the name of the person or entity. Patients may also specify the type of information that may be shared and may assign an expiration date to the release.
HIPAA also addresses protected health information in section three of Title II, known as the Security Rule. This rule applies specifically to protected health information stored in electronic format. It requires healthcare providers to establish adequate measures to ensure that patient information remains confidential. This includes physical measures such as locked doors to data storage rooms; administrative measures, such as the development and enforcement of privacy policies; and technological measures, such as password-protection of electronic patient files.
