Introduction

Health Insurance Portability and Accountability Act of 1996:

A Federal law imposed on all health care organizations including hospitals, physician offices, home health agencies, nursing homes, and other providers, as well as health plans and clearinghouses, protects patient health information.

Its main purpose is to make sure that Protected Health Information (PHI) is properly handled.
HIPAA tells us how we must process and protect our patient information.
It also says that if we transmit PHI electronically, we must do it in a standard way.
Under HIPAA patients have new rights that we must inform them about.

HIPAA rules require us to:

Treat all things we learn about patients as confidential - We can’t tell anyone else
Provide more control to patients over their personal health information
Punish those who misuse patient information by imposing criminal & civil penalties

OpenSpecimen PHI Fields

Any information that uniquely identifies a patient is Protected Health Information (PHI).

OpenSpecimen includes the following PHI fields:

Object	Field Name
Participant	Name (first, last, middle)
Participant	Date of Birth
Participant	Social Security Number
Participant	Registration Date
Participant	Death Date
Participant	Medical Record Number
Participant	Email ID
Participant	Consent File
Participant	Master Patient Index
Visit	Surgical Pathology Number

Below are some of the other fields which are considered PHI but not present in the OpenSpecimen default model. If you add these as custom fields, we recommend marking them as PHI so that only restricted users get access to it:

Address (all geographic subdivisions smaller than the state, including street address, city county, and zip code)
Telephone numbers
Fax number
Health plan beneficiary number
Account number
Certificate or license number
Vehicle identifiers and serial numbers, including license plate numbers
Finger or voice print
Photographic image - Photographic images are not limited to images of the face.
Any other characteristic that could uniquely identify the individual

HIPAA DO's

Share PHI data securely with files encrypted with passwords.
If screenshots are taken from production, mask the PHI information using graphic editors like 'Paint'.
The right to access PHI data should only be given to selective users of a system. (Eg: Super-administrators, Site Administrators in OpenSpecimen)
if PHI is sent insecurely by mistake, destroy it immediately. Don't forward/reply to such emails, remove the PHI content before you have to do.

HIPAA DON'TS

Don't send passwords of client-side OpenSpecimen application which has real data over emails.
Don't send screenshots over email or update Jira/Wiki/Forums with screenshots having real data.
Don't store real data on local machines. Even if done, remove after work done.
Never share your credentials with anyone.
Do not share PHI over email or public servers or 3rd party tools like google drive/dropbox. If required, use secure servers to share the data.

Civil monetary penalties

Failure to comply with HIPAA can result in civil and criminal penalties:

Tier	Penalty
1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.	$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
2. The HIPAA violation had a reasonable cause and was not due to willful neglect.	$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.	$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
4. The HIPAA violation was due to willful neglect and was not corrected.	$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

Criminal penalties

Tier	Potential jail sentence
Unknowingly or with reasonable cause	Up to one year
Under false pretences	Up to five years
For personal gain or malicious reasons	Up to ten years

Browser not supported