When ensuring HIPAA compliance, it is vital to understand what is considered PHI, or Protected Health Information under HIPAA. Where HIPAA is concerned, it is essential that your patient private information, or PPI, is safe and secure. Read on to find out what counts as PHI under HIPAA so you can remain compliant and protect your patients.
Quick Recap: What is HIPAA?
Before we break down what protected health information PHI is protected under HIPAA, let’s quickly recap what HIPAA, or the Health Insurance Portability and Accountability Act, even is.
Passed in 1996 by the U.S. Congress, HIPAA was designed to increase patient access to health insurance while simultaneously ensuring that their health information privacy was being handled properly by their healthcare providers. Moreover, HIPAA allowed for standardization of certain bureaucratic processes that helped streamline the healthcare industry in the last two decades of its implementation.
For more information on HIPAA and your rights under HIPAA, Check out this other blog by our experts at RSI Security to learn more.
Why Be HIPAA Compliant?
- Increased patient data protection
- Increased customer trust
- Effective incident response planning
- Improved organizational reputation
- Patient data security risk management
- Audit ready patient data environment
- HIPAA security and compliance
What is Protected Health Information (PHI)?
PHI held by covered entities of HIPAA falls under federal protections by the HIPAA Privacy Rule, which entitles patients to several rights with respect to their health care information, while also disclosing enough personal health information to allow covered entities to provide patients with adequate and informed care.
According to HIPAA, protected health information PHI is any information that can personally identify an individual patient, according to a variety of identifiers. This can be information on an individual’s past, present, or future health status that is collected, maintained, transmitted, or created by covered entities, relating to use in healthcare operations and billings.
The following information falls under PHI:
- Treatment Information
- Patient diagnoses
- Prescriptions Information
- Medical test results
- Demographic information – Birth dates, ethnicity, gender, and contact information
The following information does NOT fall under PHI:
- Educational record data
- Employee data
- Information that cannot identify an individual
PHI is considered any physical record associated with these types of information, while ePHI consists of any electronic record of patient private healthcare information.
HIPAA Privacy Rule
Protected health care information is protected under the HIPAA Privacy Rule, which maintains strict guidelines for disclosing PHI during patient care as it is being stored and processed. The Privacy Rule details comprehensive administrative, physical, and technical measures to ensure the integrity and confidentiality of patient PHI. This allows for a balance to be achieved between effective communication around patient care and privacy of PHI/PPI.
- Limited Access – Access to PII including patient medical files is to be limited, which means physical files are to be locked in file cabinets to remain secure and kept out of public view when being used for secretarial purposes. Employee access is “designated on a need-to-know basis.”
- Data Transfers – Patients must provide written consent before any information is disclosed to another entity. The information disclosed will be limited to that which is specifically required for the purposes of the requesting entity, or the minimum amount required for a certain task, as determined by the physician.
- Patient Rights – HIPAA grants numerous rights to patients including the right to request their medical information, amend their PHI, and know who can access their PHI and what exactly is disclosed to other entities.
- Privacy Officer – HIPAA requires that a Privacy Officer be assigned to compliant enterprises to design a privacy compliance plan and oversee its implementation. They also are there to address privacy breaches and any instances of noncompliance.
- Partner Compliance – Entities, upon written consent, may legally transfer data to other healthcare parties, if and only if, said parties are also HIPAA compliant. This responsibility lies on the party sending the information.
More on ePHI
Any PHI that is transmitted, stored, received, or created electronically is considered Electronic Protected Health Information (ePHI). Unlike PHI, which is covered under the HIPAA Privacy Rule, ePHI guidelines are found in the HIPAA Security Rule.
Media used to store ePHI includes:
- Magnetic tape
- External hard drives
- Internal hard drives found in personal computers
- Portable storage devices – CDs, DVDs, SD cards, and USB drives
- Portable Digital Assistants (PDAs)
Transmission methods of ePHI include:
- File transfers
Electronic PHI can be protected using certain administrative, technical, and physical safeguards that include implementing firewalls and other cybersecurity methods to secure digital data storage locations, keeping physical storage devices locked away, and only allowing limited access to data to specific employees on a need-to-know basis.
HIPAA Security Rule
The HIPAA Security Rule applies specifically to ePHI but shares many overlaps with the HIPAA Privacy Rule. Similar to the Privacy Rule, it requires extensive tracking, documentation, and reporting when managing, processing, or transmitting ePHI.
Data and Cloud Storage for ePHI
HIPAA regulation considers data storage companies Business Associates (BAs), which accounts for physical and digital data storage including cloud service providers even if said providers never access the ePHI they are storing.
To manage these relationships, covered entities must write up Business Associate Agreements (BAAs) with their BAs to “clearly delineate liability in the event of a data breach,” as well as define any administrative, physical, or technical safeguards needed to maintain PHI integrity.
The 18 Identifiers that Define PHI
With the main components and implications of HIPAA laid out, we can now explore exactly what information is considered Protected Health Information under HIPAA. Understanding what falls under PHI is extremely vital because any violation of HIPAA Privacy and Security Rules can lead to financial or even legal penalties, and claiming ignorance of HIPAA law is not considered a valid defense.
As previously mentioned, PHI is any health information that can identify an individual patient. According to HIPAA regulations, PHI is any information that has one or more of the following 18 identifiers:
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal, and voiceprints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
Please note that if information is stripped of these identifiers, it is then considered de-identified and is therefore no longer subject to HIPAA Privacy Rule restrictions.
De-identification of Private Health Information PHI
Should a covered entity wish to conduct studies using large data sets of medical data, the process of de-identification of data is necessary to ensure HIPAA Compliance while supporting the use of data for policy assessment, scientific research, and comparative effectiveness studies.
The HIPAA Privacy Rule, though strict, recognizes the immense benefit of using widespread health information for scientific inquiry and thus permits a covered entity or BA to use de-identified data for said purposes.
The HIPAA Privacy Rule dictates two de-identification methods to turn PHI into usable data that is no longer restricted or protected under HIPAA:
The “Expert Determination” Method
This method states that the covered entity may only determine health information as individually un-identifiable if:
- A person with appropriate experience with accepted scientific and statistical principles of determining information is not individually identifiable applying such principles, finds that the risk that the information could be used to identify an individual is very small.
- Said person justifies said determination by documenting the results of the analysis and methods used.
The “Safe Harbor” Method
This method states that the covered entity may consider the information de-identified if the 18 identifiers associated with PHI are fully removed from the desired information. This includes the information of relatives, household members, or employers of the individual.
In order to prevent data loss in the process of de-identification, the covered entity can implement re-identification methods to re-identify PHI for future use. The re-identification process entails assigning a code or other means of identification to information being de-identified, provided that:
- Derivation – The means of record identification or code used is not related to or derived from information on the individual and is therefore not able to be translated to identify the individual.
- Security – The covered entity does not disclose the methods or mechanisms used for re-identification for any purpose. Such identification methods are considered protected under the Privacy Rule and disclosure of such is considered PHI disclosure and is thus a violation of HIPAA regulations.
How to Treat Patient Protected Health Information
Under the HIPAA Security Rule, it is expected that covered entities protect PHI against reasonably anticipated security threats. Covered entities are therefore required to implement safeguards to ensure the integrity, confidentiality, and availability of PHI. The technological, physical, and administrative methods to implement such safeguards are not specified by HIPAA and are therefore designed at the discretion of the covered entity.
- Physical Safeguards – Any electronic devices or physical records where PHI is stored are to be kept under lock and key.
- Technical Safeguards – Firewalls, VPNs, encryption software, or other digital protective measures are to be utilized to ensure reasonable protection of sensitive information.
- Administrative Safeguards – Establishing access controls to limit, monitor, and control who can view PHI, and what PHI, is necessary to ensure administrative protection over PHI. Security awareness training can also be a good method to protect PHI.
How RSI Security Can Help
Achieving compliance with cybersecurity industry standards may seem difficult, but it doesn’t have to be. RSI Security offers a wide variety of compliance validation guidance services that can help your organization meet the highest standards of cybersecurity compliance so you can focus on achieving your business goals and doing what you do best.
If you are reading this blog, it is probably because your business is in the healthcare industry. Since that is the case, you know that personal health information is of the highest priority to running a company that ensures client satisfaction and stays far away from serious financial and legal repercussions.
RSI Security offers a few services that will help carry your company to the next level of company reputation and customer satisfaction through HIPAA compliance:
- Vulnerability Scanning
- Risk Analysis of Patient Data Environment
- Network Penetration Testing
- HIPAA Security Awareness and Training
- HIPAA Security Rule Compliance Advisement, Assessment, and Auditing
- Covers administrative, physical, and technical safeguards
Although HIPAA compliance measures seem intimidating, with the help of RSI Security, compliance is not only possible – but painless. The first step of HIPAA compliance is having a clear understanding of what protected health care information is and how to manage it in a secure, private way – such that you are not in violation of the HIPAA Privacy and Security Rules.
Continue reading our expert blogs at RSI Security and be sure to check out our compliance advisory services. This will provide in-depth guidance on HIPAA compliance for patient protection and satisfaction.
HIPAA Journal. What is Considered Protected Health Information Under HIPAA? https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/
Compliancy Group. Protected Health Information: HIPAA PHI. https://compliancy-group.com/protected-health-information-understanding-phi/
HHS.gov. What is PHI? https://www.hhs.gov/answers/hipaa/what-is-phi/index.html
HHS.gov. Methods of De-identification of PHI. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#protected