HIPAA DO'S and DON'TS

• Its main purpose is to make sure that Protected Health Information (PHI) is properly handled.
• HIPAA tells us how we must process and protect our patient information.
• It also says that if we transmit PHI electronically, we must do it in a standard way.
• Under HIPAA patients have new rights that we must inform them about.

• Treat all things we learn about patients as confidential - We can’t tell anyone else
• Provide more control to patients over their personal health information
• Punish those who misuse patient information by imposing criminal & civil penalties

OpenSpecimen PHI Fields

Any information that uniquely identifies a patient is Protected Health Information (PHI).

OpenSpecimen includes the following PHI fields:

Below are some of the other fields which are considered PHI but not present in the OpenSpecimen default model. If you add these as custom fields, we recommend marking them as PHI so that only restricted users get access to it:

• Address (all geographic subdivisions smaller than the state, including street address, city county, and zip code)
• Telephone numbers
• Fax number
• Health plan beneficiary number
• Account number
• Certificate or license number
• Vehicle identifiers and serial numbers, including license plate numbers
• Finger or voice print
• Photographic image - Photographic images are not limited to images of the face.
• Any other characteristic that could uniquely identify the individual

HIPAA DO's

1. Share PHI data securely with files encrypted with passwords. 
2. If screenshots are taken from production, mask the PHI information using graphic editors like 'Paint'.
3. The right to access PHI data should only be given to selective users of a system. (Eg: Super-administrators, Site Administrators in OpenSpecimen)
4. if PHI is sent insecurely by mistake, destroy it immediately. Don't forward/reply to such emails, remove the PHI content before you have to do.

HIPAA DON'TS

1. Don't send passwords of client-side OpenSpecimen application which has real data over emails.
2. Don't send screenshots over email or update Jira/Wiki/Forums with screenshots having real data.
3. Don't store real data on local machines. Even if done, remove after work done.
4. Never share your credentials with anyone.
5. Do not share PHI over email or public servers or 3rd party tools like google drive/dropbox. If required, use secure servers to share the data.

Failure to comply with HIPAA can result in civil and criminal penalties:

Criminal penalties