HIPAA protects your personal medical history so that you cannot be identified and your private data
remains private at all times. It puts in place a set of rules that must be adhered to so that nothing will
be accessed by unauthorized individuals that may impact your life in any way.
HIPAA applies to any person or group who creates, receives, uses or stores individually identifiable
health information. In total there are 18 “HIPAA Identifiers” that can be used to identity, get in touch
with or find an individual, or be used with other sources to identify a person. The identifiers in
question are referred to as “Protected Health Information” (PHI)
They include among their number:
● Names (Full or surname and initial)
● Geographical identifiers smaller than a state, aside from for the first three digits
of a zip code if, according to the current publicly available data from the U.S.
Bureau of the Census: the geographic unit formed by joining up all zip codes with
the same three digits includes more than 20,000 people; and the first three digits
of a zip code for all such geographic units including 20,000 or fewer people is
amended to 000
● Dates (other than year) directly linked to an individual
● Phone Numbers and contact numbers
● Fax numbers and fax contact details
● Email addresses and email contact details
● Social Security data
● Medical record material
● Health insurance beneficiary numbers
● Account holder numbers
● Vehicle identifiers (such as serial numbers and license plate numbers)
● Device details and serial numbers;
● Web Uniform Resource Locators (URLs)
● Internet Protocol (IP) address numbers
● Finger, retinal and voice prints
● Full face photos and any such images
● Any other unique identifying number, characteristic, or code not including the
unique code given by the investigator to code the data
If an organization or person is governed by HIPAA compliance, they are either a “Covered Entity” or
a “Business Associate”. A Covered Entity is a group or person that maintain patient healthcare or
payment data, or would reasonably be expected to manage PHI in the course of their daily activities
– in most cases healthcare providers, health plans and healthcare clearinghouses.
A Business Associate is a group or person who does not manage PHI as their chief activity, but
manages PHI when they carry out a service for a Covered Entity. Examples of Business Associates
are software providers, storage and collection agencies, message answering services, non-
employed consultants and cleaning services. Subcontractors may also be classified as Business
HIPAA states that – legally – physical, technical, and administrative safeguards must be in place.
Technologies including encryption software and firewalls are included under technical safeguards.
Physical safeguards for PHI data include maintaining physical records and electronic devices that
hold PHI under lock and key. Administrative security measures include access controls to restrict
who can view PHI data and security awareness guidance.