The Health Insurance Portability and Accountability Act of 1996 (HIPAA) designates forms of patient-related records that need to be protected. These records are “protected health information” (PHI). Guarding these documents is critical to the safety of patients and providers alike. Read on for several examples of protected health information, the US Department of Health and Human Services’ (HHS) strict regulations surrounding them, and how to safeguard your company.
What Does Protected Health Information Include?
Given how critical safeguarding PHI is, all businesses in and adjacent to the healthcare industry need to understand its importance, why it’s so essential, and how to protect it per HIPAA standards. This blog will break down:
- Everything protected health information includes and its basic definition
- How to protect physical and digital PHI per the HIPAA Privacy Rule
- How the HIPAA Security Rule applies to electronic PHI (ePHI) specifically
- How the Breach Notification Rule applies to all forms of PHI and ePHI
Personal Health Information Examples and Definition
The best way to understand what protected health information involves understanding what protected health information includes. The primary examples of PHI are all patients’ medical and payment documents that contain personally identifiable information, such as records of doctor visits, prescriptions, bills, and privileged communications with providers. This includes nearly all patient-related documents stored or processed by covered entities.
HIPAA applies unilaterally to all businesses in the healthcare field and many other businesses adjacent to it. Covered entities comprise healthcare providers, health plans, and health clearinghouses. Furthermore, the business associates of these parties are also required to be compliant.
[su_button url=”https://www.rsisecurity.com/request-demo/” target=”blank” style=”flat” size=”11″]Request a Free Consultation[/su_button]
Identifiable Characteristics for Protected Health Information
PHI is health information with personally identifiable information about a patient. If all 18 kinds of personally identifiable data are removed or redacted from a PHI document, it may no longer qualify as PHI under the “safe harbor” provision. The identifying categories include:
- The names associated with a patient, including first, last, initials, and aliases
- The location of a patient, including geographical identifiers smaller than a state
- All essential dates associated with a patient (birth, etc.) other than the year of birth
- All phone numbers associated with the patient, including home, cell, and work
- All fax numbers associated with the patient, including home, cell, and work
- All personal and professional email addresses related to the patient
- The patient’s social security number and equivalent tax-relevant identifiers
- The numbers and codes related to all of a patient’s medical records
- The health insurance beneficiary details related to a patient’s plan
- The account numbers tied to a patient’s medical and financial accounts
- All certificate and license numbers related to the patient’s vehicles
- All vehicle identifiers, such as license plate and vehicle serial numbers
- All serial or identification numbers associated with a patient’s devices
- Uniform Resource Locators (URLs) related to a patient’s web presence
- Internet Protocol (IP) addresses or numbers related to a patient’s devices
- All biometric identifiers of a patient, such as a finger, retinal, or voiceprints
- The likeness of a patient, as captured in full-face photographic images
- All other unique identifying numbers, characteristics, or codes of the patient
The process of removing all these identifiers is called the de-identification of PHI. Companies can also achieve de-identification via expert determination that the document is not identifiable.
The HIPAA Privacy Rule: Uses and Disclosures of PHI
The Privacy Rule within the HIPAA framework applies to all PHI, both physical and digital, and delineates the specific use cases under which parties other than PHI subjects can access PHI. It also guarantees that PHI is accessible by its subjects or representatives, along with select other parties, such as law enforcement.
Protections under the Privacy Rule may be considered a “whitelist” approach, wherein use cases are disallowed unless otherwise specified. To that effect, the rule’s “basic principles” include that a covered entity may not disclose or use PHI in any way except those defined as permitted or required or as formally requested in writing by the PHI’s subject or representative.
Rules and Requirements for Privacy Rule Protection of PHI
The HHS’s Privacy Rule Summary breaks down the following permitted use cases for PHI:
- Use by, of, or for or disclosure to the individual subject or a designated representative.
- Uses and disclosures are undertaken for treatment, payment, and healthcare operations.
- Uses or disclosures for which the subject has been granted an opportunity to consent.
- Incidental uses or disclosures related to other permitted or required uses or disclosures.
- Uses or disclosures undertaken in the general public interest or for a public benefit project.
- Use of a limited data set needed for approved research or public health care operations.
All permitted uses and disclosures except select required cases, such as to the subject of law enforcement, must also be limited to the minimum necessary extent to avoid breach conditions.
The HIPAA Privacy Rule: Safeguards for Electronic PHI
The second prescriptive rule applicable to PHI in the HIPAA framework is the Security Rule. The Security Rule applies to electronic PHI (ePHI) only, unlike the Privacy Rule, which applies to PHI in all formats. The Security Rule resulted from the HITECH Act of 2009, which increased HIPAA’s oversight on electronically generated and processed PHI, along with increases to enforcement penalties.
In particular, the Security Rule exists to ensure the confidentiality, integrity, and availability of ePHI. It also specifies risk analysis or assessment methods to identify and address credible threats to the Security and Privacy of ePHI and prevent them before they turn into total breaches. It does this by detailing specific safeguards all covered entities must implement.
Rules and Requirements for the Security of Electronic PHI
The HHS’s Security Rule Summary breaks down three kinds of safeguards for ePHI security:
- Administrative safeguards – Controls to guide company-wide procedures:
-
-
- Establishment of security management processes and resources
- Allocation of security personnel and resources to enforce policy
- Management of information access for all uses and disclosures
- Training and assessment of behaviors across all security staff
- Evaluation of IT and security measures consistent with HIPAA
-
- Physical safeguards – Controls for the level of individual spaces and hardware:
-
-
- Restriction of physical access to defined security perimeters
- Restriction of physical access to individual workstations
-
- Technical safeguards – Controls for devices, software, and network infrastructure:
-
- Monitoring and restricting access to ePHI in transit or storage
- Regular auditing and audit logging for privacy and security
- Visibility and assurance of ePHI integrity (no undue changes)
- Monitoring and restriction of communications involving ePHI
These protections ultimately build on the Privacy Rule’s guidance to define parameters for PHI’s safekeeping. If any statute is broken, the PHI will be considered breached.
Breach Notification for Compromises to PHI or ePHI
Finally, the last HIPAA rule pertaining to PHI is not a prescription for its protection but a failsafe if compromised. The Breach Notification Rule applies to all PHI and ePHI; it requires covered entities to notify three distinct parties if any element of the Security or Privacy Rule is breached:
- Individuals impacted by a breach of PHI or ePHI must be notified by the covered entities in writing as soon as possible and within 60 days of the breach’s discovery in all cases.
- The secretary of the HHS must be notified as soon as possible (within 60 days) in cases impacting 500 or more individuals or within 30 days of year’s end if more are affected.
- Local media outlets must be notified as soon as possible in cases impacting 500 or more individuals within a defined geographical location serviced by the specific media outlet.
Failure to meet these requirements does more than compromise PHI. It can also result in civil money penalties or criminal charges, per the Enforcement Rule.
Safeguard Protected Health Information Professionally
To avoid non-compliance penalties and other potentially dangerous cybercrime threats, working with a qualified HIPAA compliance advisor can offer an optimal return on investment. There are countless examples of protected health information-related crimes and HIPAA violations that involve well-meaning companies with inadequate staffing or resources. If compliance is a concern for you, contact RSI Security today to see how easy it can be.
Download Our HIPPA Checklist
