What is Protected Health Information (PHI)?
Unless you have been living under a rock, you’ll know that HIPAA Compliance is all about ensuring the sanctity, integrity, and security of Protected Health Information or as it is more commonly known, PHI. But what is PHI? Why is it so important that it is kept under lock and key, and only disclosed when it is considered necessary?
HIPAA Protected Health Information, or PHI, is any personal health information that can potentially identify an individual, that was created, used, or disclosed in the course of providing healthcare services, whether it was a diagnosis or treatment. PHI can include:
- The past, present, or future physical health or condition of an individual
- Healthcare services rendered to an individual
- Past, present, or future payment for the healthcare services rendered to an individual, along with any of the identifiers shown below.
To put it simply, PHI is personally identifiable information that appears in medical records as well as conversations between healthcare staff such as Doctors and Nurses regarding patient treatment. PHI also includes billing information and any information that could be used to identify an individual in a health insurance company's records.
Generally, PHI can be found in a wide variety of documents, forms, and communications such as prescriptions, doctor or clinic appointments, MRI or X-Ray results, blood tests, billing information, or records of communication with your doctors or healthcare treatment personnel.
ePHI: PHI in Electronic Format
When PHI is found in an electronic form, like a computer or a digital file, it is called electronically Protected Health Information or ePHI. This is PHI that is transferred, received, or simply saved in an electronic form. ePHI was first described in the HIPAA Security Rule and organizations were instructed to implement administrative, technical, and physical safeguards to ensure its sanctity and integrity. ePHI can be found in a couple of different forms whether it is shared via email or stored on a hard drive, computer, flash drive, disk, cloud hosting platform, or other. It is important to point out that the HIPAA Privacy Rule applies to each and every form of PHI that currently exists or will ever exist in the future. On the other hand, the Security Rule only applies to ePHI and does not apply to paper or oral versions of this same information. Since technological innovation has led to many covered entities, and business associates handling ePHI as a part of their operations, there was a need for a rule that dedicated guidance to this topic. This shift in medical information storage led to the need for the HHS to pass The Security Rule and it's physical, technical, and administrative safeguards in order to ensure the protection of ePHI.
What Information is considered PHI?
PHI is any information that can be used to identify an individual, even if the link appears to be tenuous. HIPAA has laid out 18 identifiers for PHI. If a record contains any one of those 18 identifiers, it is considered to be PHI. If the record has these identifiers removed, it is no longer considered to be Protected Health Information and it is no longer under the restrictions defined by the HIPAA Privacy Rule. These are the 18 Identifiers for PHI:
- Full names or last name and initial
- All geographical identifiers smaller than a state,
- Dates (other than year) directly related to an individual such as birthday or treatment dates
- Phone Numbers including area code
- Fax number/s
- Email address/es
- Social Security number
- Medical record numbers
- Health insurance beneficiary numbers
- Bank Account numbers
- certificates/drivers license numbers
- Vehicle identifiers (including VIN and license plate information)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers including fingerprints, retinal, genetic information, and voice prints
- Full face photographs and any comparable images that can identify an individual
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
The rule of thumb is that if any of the information is personally recognizable to the patient or if it was utilized or discovered during the course of a healthcare service, it is considered to be PHI.
What is not considered PHI?
Generally speaking, PHI does not include information created or maintained for employment records, such as employee health records. Health data that is not shared with a HIPAA covered entity or can not be used to identify an individual doesn’t qualify as PHI, such as a blood sugar reading, a temperature scan, or readings from a heart rate monitor.
To make laying out a narrow definition of PHI even more complicated, HIPAA was conceived in a time when the internet was in its infancy and devices like smartphones were something that you saw on Star Trek. The law was written for a world in which X-rays were physical copies and safeguarding patient data meant keeping files in locked filing cabinets behind closed doors. In today’s world of genetic information, wearable technology, health apps and perhaps even implantables, it can be challenging to determine whether you are using consumer health information or PHI.
So if you are a startup developing an app, and you are trying to decide whether your software needs to be HIPAA Compliant, the general rule of thumb is this: If the product that you are developing transmits health information that can be used to personally identify an individual and that information will be used by a covered entity (medical staff, hospital, or insurance company), then that information is considered PHI and your organization is subject to HIPAA. If you have no plans on sharing this data with a covered entity, then you do not need to worry about HIPAA compliance - yet.
Why is PHI valuable to criminals?
It is common knowledge that healthcare data is very attractive to hackers and data thieves. Hacking and other IT related events make up the majority of PHI breaches, but why is healthcare data such an attractive target to cyber criminals?
According to a study by Trustwave, banking and financial data is worth $5.40 per record, whereas PHI records are worth over $250 each due to their longer shelf life. Stolen financial information must be used quickly for a thief to take advantage of. For example, If your credit card is stolen, you can cancel your card as soon as you are aware of the theft or even loss, leaving the thief a brief period to make fraudulent purchases.
However, If your personal healthcare information stored in these smart medical devices is stolen, you can’t change it and the breach can take a very long time to detect. Information such as your name, date of birth, address, Social Security Number, and older medical claims information can be used to commit fraud, the thief can receive medical care using the victim’s name, purchase prescription drugs, and even commit blackmail.
The results of an unauthorized disclosure of PHI can be far worse than financial fraud, as they can take months or even years before they are detected. Identity theft can take years to recover from. Additionally, the penalties of a HIPAA violation can be quite severe and even crippling to an organization.
Protect Against PHI Breaches. Become HIPAA Compliant
The HIPAA Security Rule requires organizations to take proactive measures against threats to the sanctity of PHI. Organizations must implement administrative, technical, and physical safeguards to ensure the confidentiality and integrity of the PHI under their care. However, aside from saying that safeguards must be implemented, the “how” is left to the discretion of the individual organization, which can be frustrating for the organization in question because when the cost of non-compliance can be so high, they don’t know what they need to do to be compliant.
Related: HIPAA Compliance Checklist
Broadly speaking, these are the actions that an organization needs to take in order to become HIPAA-compliant to safeguard the PHI under your organizations care:
- Select someone from your organization to serve as your HIPAA Privacy officer.
- Conduct regular employee HIPAA training as well as awareness programs to ensure that your staff are aware of the tactics deployed by cybercriminals, as well as more mundane and traditional methods of protecting data.
- Investing in data loss prevention controls like encryption and endpoint security solutions.
- Policies are in place to prevent employees from accessing PHI via non-secure methods as well as controlling access to PHI.
- Storing and transmitting PHI via a method that meets HIPAA compliance – if this is managed by a third-party provider, a business associate agreement must be signed ensuring the third party is also complying with HIPAA.
Accountable was founded with the goal of making HIPAA compliance achievable by creating a framework that will make training employees, adopting applicable policies and procedures, and identifying risk in your organization simple so that you can spend your time focusing on your business, not fretting about threats. We’re so confident that we can meet your needs that you can try it for free.
Don’t wait. Get started on your journey to compliance, today.