From 4eeb2e22938400b5ba0c0465a9297c7b6a759060 Mon Sep 17 00:00:00 2001 From: Natasa Manousopoulou Date: Wed, 18 Mar 2020 18:26:07 +0200 Subject: [PATCH] HIPAA basics documentation --- docs/.markdownlint.json | 4 +++ docs/requirements/industry/hipaa/overview.md | 13 +++++++ docs/requirements/industry/hipaa/phi.md | 35 +++++++++++++++++++ .../industry/hipaa/source-material.md | 29 +++++++++++++++ 4 files changed, 81 insertions(+) create mode 100644 docs/.markdownlint.json create mode 100644 docs/requirements/industry/hipaa/overview.md create mode 100644 docs/requirements/industry/hipaa/phi.md create mode 100644 docs/requirements/industry/hipaa/source-material.md diff --git a/docs/.markdownlint.json b/docs/.markdownlint.json new file mode 100644 index 0000000..151ee39 --- /dev/null +++ b/docs/.markdownlint.json @@ -0,0 +1,4 @@ +{ + "MD013": false, + "MD033": false +} \ No newline at end of file diff --git a/docs/requirements/industry/hipaa/overview.md b/docs/requirements/industry/hipaa/overview.md new file mode 100644 index 0000000..7e8e25b --- /dev/null +++ b/docs/requirements/industry/hipaa/overview.md @@ -0,0 +1,13 @@ +# Overview + +## What is HIPAA? + +HIPAA is a U.S. regulation that gives patients greater access to their own medical records and more control over how their personally identifiable health information is used. The regulation also addresses the obligations of healthcare providers and health plans to protect health information. + +## What is PHI? + +PHI stands for Protected Health Information and it includes data elements that can be used within a data set to identify an individual and disclose their medical records and/or health related financial history. + +## What is HIPAA compliance? + +In order to be HIPAA compliant, entities such as health care providers or employers that manage PHI, and providers of services to these entities, must ensure that technical, physical and administrative safeguards are in place and adhered to, in order to protect the integrity of PHI. They are also required to follow specific procedures if the integrity of PHI is breached. diff --git a/docs/requirements/industry/hipaa/phi.md b/docs/requirements/industry/hipaa/phi.md new file mode 100644 index 0000000..90fbf5e --- /dev/null +++ b/docs/requirements/industry/hipaa/phi.md @@ -0,0 +1,35 @@ +# Protected Health Information + +## PHI data types + +The 18 different types of data elements that are considered PHI identifiers are: + +1. Names or part of names +1. Geographical identifiers +1. Phone numbers +1. Email addresses +1. Medical record numbers +1. Account numbers +1. Vehicle license plate numbers +1. Web URLs +1. Fingerprints, retinal and voice prints +1. Any other unique identifying characteristic +1. Dates directly related to an individual +1. Fax numbers +1. Social Security numbers +1. Health insurance beneficiary numbers +1. Certificate or license numbers +1. Device identifiers and serial numbers +1. IP addresses +1. Full face or any comparable photographic images + +Source: [https://www.hipaajournal.com/considered-phi-hipaa](https://www.hipaajournal.com/considered-phi-hipaa/) + +## Deidentifying PHI + +The PHI deidentification guidance specifies two different approaches: + +1. *Expert determination* applies supervised statistical methods to review the data and confirm whether individuals would be identifiable from the data. +1. *Safe harbor* removes all data of the 18 PHI types, thus making re-identification impossible as per HIPAA definition. + +Source: [https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html](https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html) \ No newline at end of file diff --git a/docs/requirements/industry/hipaa/source-material.md b/docs/requirements/industry/hipaa/source-material.md new file mode 100644 index 0000000..2ae910e --- /dev/null +++ b/docs/requirements/industry/hipaa/source-material.md @@ -0,0 +1,29 @@ +# Source material + +## PHI identifiers + +1. Names +2. Geographical subdivisions smaller than a State (see [Identifiers list](#identifiers-list) for details) +3. Dates directly related to an individual (see [Identifiers list](#identifiers-list) for details) +4. Phone numbers +5. Fax numbers +6. E-mail addresses +7. Social Security numbers +8. Medical record numbers +9. Health plan beneficiary numbers +10. Account numbers +11. Certificate/license numbers +12. Vehicle identifiers and serial numbers, including license plate numbers +13. Device identifiers and serial numbers +14. URLs +15. IP address numbers +16. Biometric identifiers, including finger and voice prints +17. Full face photographic images and any comparable images +18. Any other unique identifying number, characteristic, or code + +## Links + +* [HIPAA official site](https://hipaa.com/) +* [List of identifiers](https://cphs.berkeley.edu/hipaa/hipaa18.html) +* [HIPAA compliance checklist](https://www.hipaajournal.com/hipaa-compliance-checklist/) +* [Deidentification guidance](https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html)