If your organization needs to comply with HIPAA, you’ll need to safeguard protected health information (PHI) and keep an eye out for:
- Identifiable records related to patients’ health conditions
- Identifiable records related to the provision of healthcare services
- Identifiable records related to payments for healthcare provided
- Methods for de-identifying PHI to lessen the scope of compliance
- Approaches to comprehensive HIPAA compliance implementation
Example #1: Records of Patients’ Health Conditions
The Health Insurance Portability and Accountability Act (HIPAA) exists to ensure that protected health information (PHI) is safeguarded. The kinds of information that can qualify as PHI are defined in the Privacy Rule. The first of these is any record that contains or pertains to an individual’s past, present, or future health conditions—including physical and mental health.
The first example is the most straightforward and involves the least abstraction. Records that contain identifiable information about a patient (i.e., their name—see below) alongside any information about their health conditions can qualify as PHI. One common pitfall in this respect is the mishandling of demographic data pertaining to individuals’ disabilities. Even if collected or used in good faith, this information needs to be safeguarded to protect these individuals’ rights.
Example #2: Records of Healthcare Services Provided
Closely related to the example above, yet distinct from it, PHI includes all records of healthcare services provided to an individual. The distinction is that the first example specifically hinges on whether or not a person is being identified alongside a condition (permanent or otherwise). But, in this case, a document is PHI if it associates an individual with a procedure they’ve received.
Common examples of service-provision PHI documents include:
- Records of medical procedures performed (i.e., operations)
- Records or notes pertaining to ongoing treatment (i.e., therapy)
- Records of medications or supplements prescribed or recommended
Any organization that is subject to HIPAA needs to de-identify and/or protect these kinds of documents, and any traces of this kind of information. See below for guidance on how.
Example #3: Records of Payment for Healthcare Services
In addition, according to the HIPAA Privacy Rule protected health information includes records of past, present, or future payment made in exchange for the provision of healthcare. If #2 is an abstraction of #1, this type of PHI further abstracts the individual from their health concerns, qualifying a document as PHI if it associates an individual with a payment made for healthcare.
One common instance of payment information qualifying as PHI under HIPAA is credit card and other transaction records being maintained digitally. Often, records of this nature are kept for standard bookkeeping or even for compliance with other regulatory frameworks. However, if they include patients’ names and other identifiable criteria, they may qualify as electronic protected information (ePHI). If so, they need to be de-identified and/or safeguarded.
How to De-Identify PHI for HIPAA Compliance
Under HIPAA protected health information needs to be treated such that, if it were leaked or otherwise fell into the wrong hands, the individual it concerns could not be identified by it.
The Department of Health and Human Services (HHS) prescribes two de-identification methods:
- Expert Determination – An individual with substantial knowledge and training in threat and statistical modeling is able to demonstrate a negligible degree of identification risk.
- Safe Harbor – All categories of identifiable information (names, locations, dates, contact information, ID and related numbers, possessions, etc.) are removed from documents.
Organizations subject to HIPAA, including both covered entities and their business associates, should utilize one or both methods as much as possible to minimize the scope of identifiable PHI within their systems. HIPAA data breaches concern identifiable PHI exclusively.
How to Safeguard Identifiable PHI for HIPAA Compliance
All protected health information, identifiable or not, needs to be safeguarded according to HIPAA’s prescriptive rules. The Privacy Rule, noted above, requires controlling use and disclosure and preventing all but a select set of permitted disclosures while also ensuring information subjects have the ability to access PHI about or concerning them on demand.
The Security Rule augments the Privacy Rule, adding proactive protections and controls that organizations need to install. These include administrative, physical, and technical safeguards, along with programmatic risk assessments that often necessitate the use of penetration tests.
Finally, there is the Breach Notification Rule, which requires monitoring and communication infrastructure to identify and report on any breach of identifiable PHI as soon as possible.
Streamline Your HIPAA Compliance Process
Critically, PHI is a relatively wide category of information that includes both health-specific documentation and more generalized records, such as payment data. Organizations in and adjacent to healthcare need to be aware of these common PHI types that they may come across so that they can de-identify and safeguard them to maintain HIPAA compliance.
RSI Security has helped healthcare organizations and their strategic partners steer clear of HIPAA enforcement for over a decade. We believe that discipline up-front unlocks greater freedom to grow down the road, and we’ll help you rethink and optimize your compliance.
To learn more about protected health information and HIPAA, contact RSI Security today!