What Is Considered PHI (Protected Health Information)?
When you walk into any hospital or private doctor’s office, you’re immediately bombarded by a list of questions. These range from personal questions about your lifestyle and medical history to private questions about your address, insurance, and other information you don’t want to be disclosed. You’d hope, being that there’s a notion of doctor-patient confidentiality, that all this information is handed over in confidence.
And it is. According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), all this information constitutes protected health information (PHI). The release of vital patient details breaks HIPAA’s Privacy and Security Rules — thus inciting fees and penalties for the healthcare entity.
Some questions to consider when reading ahead: How was this system set up? What is protected health information? And how can healthcare organizations and their business associates offer their patients security and avoid penalties under HIPAA?
HIPAA Comes Into Being
HIPAA was signed into law in 1996 for two primary purposes.
- Americans were losing their healthcare coverage between jobs: In the 90s, the uninsured rate hovered around 15% for healthcare coverage. This means, oppositely, 85% enjoyed and relied upon their healthcare coverage (typically granted through work) for their daily medication and medical emergencies. Switching jobs meant putting your family’s health and bank account at risk.
- Patient private information was not secured: The second major goal was to enact a system of protecting the sensitive information that was stored within hospitals and patient records. These records had to be protected, and authorization methods had to be standardized to ensure fraudulent behavior wasn’t occurring. This is especially true as health records became digitized (more on electronic health records below).
With its goals properly in place, HIPAA designated everything from implementation to auditing bodies to penalties and enforcement. Each of which surrounded PHI. So, what is protected health information?
What is Considered Protected Health Information PHI
Painting broad strokes: protected health information consists of anything to do with your current health status, medical records, payment information, payment history, and any general information that you submit to your healthcare provider. All of this is considered sensitive information and holds value under both HIPAA’s Privacy and Security Rules (detailed below).
In minute detail, HIPAA identified 18 markers that should be treated as protected health information.
18 Identifiers of Protected Health Information (PHI)
If any of the following identifiers show up on a record, the information is considered protected under HIPAA. In order for healthcare organizations and their business associates to exchange health information — which is inevitable and necessary — they must remove these identifiers prior to transfer.
(The information contained below regards the patient AND the family members, relatives, household members, and employers of the patient.)
- Addresses that are considered “geographic subdivisions smaller than a state.” This covers street, city or county, precinct, ZIP, or any equivalent geographical marker or code. It does not cover the first 3 digits of the ZIP when:
- The combined population of all ZIP codes with the same initial 3 digits includes over 20,000 people. If the combined population of all ZIP codes includes less than 20,000 people, the first three digits must be changed to 000.
- Dates including birth date, death date, and admission and discharge date. The only part of the date that is not covered is the year.
- Dates as they refer to age: Ages over 89 and all dates (including the year) that would designate someone to be 90 or older are considered PHI. The exception is that elements of this information may be categorized as “age 90 or older,” to avoid giving away specifics.
- Phone number
- Vehicle information, including physical descriptors, serial numbers, license plates, etc.
- Fax number
- Device identifiers and serial numbers
- Email address
- Web URLs identifying patient and related members
- Social security number
- IP address
- Medical record number
- Biometric identification including fingerprints, voice identifiers (cadence or tone), signature, DNA
- Health plan beneficiary number
- Full-face photographs, videos, and any similar content
- Account number
- Other identifying numbers, characteristics, and codes.
- Exception: Codes that are not related to or derived from the patient or information about the patient and do not compromise the patient’s identity upon exchange of PHI. This extends to the process by which the code is related to the patient — this must not be disclosed.
- License number and certification number
These 18 identifiers are written into the Safe Harbor Method of de-identification, a process undertaken prior to the exchange of information between organizations.
De-Identification of PHI
The Health and Human Services (HHS) offers two processes of de-identification. Satisfying either of these two processes’ requirements allows for the transfer of health records.
- Expert Determination Method
- Safe Harbor Method
The Expert Determination Method
This method uses statistical analysis and generally accepted scientific principles to ensure the information provided will not identify the patient. There must be a “statistically insignificant” chance of recognizing the patient with one identifier or a combination of health identifiers. This requires experience with these principles and knowledge of the various markers above.
The HHS also requires healthcare organizations to document the procedures by which the analysis determined such a justification for information exchange.
Safe Harbor Method
As listed above, the Safe Harbor Method removes all 18 identifiers for both the patient and related members to the patient from any and all exchanged documents. The HHS also requires that the healthcare organization or business associates do not have the knowledge of how the information could be used to identify the patient.
Note: Following either of these methods properly actually makes the information exchanged not protected by the Privacy Rule of HIPAA. If there’s no personally identifying material, then it is no longer considered “PHI.”
Healthcare Organizations and Business Associates of a HIPAA-Covered Entity
You may have noticed this article keeps bringing up both the healthcare entity and its business associates. The reason is that HIPAA extends beyond the healthcare organization and protects the health information through the course of its exchange. This means, once the information is out of the hands of the healthcare organization, they are still liable for its protection.
For this reason, many healthcare organizations require their business associates to use the same security framework and organizational techniques to ensure proper security practices.
HITECH: HIPAA’s Partner in (Fighting) Crime
Before 2009, there wasn’t this same guarantee on PHI for the business associates of HIPAA-covered entities. HIPAA never extended mandates to non-HIPAA-covered entities; the policymakers were lenient and expected good faith in this practice. In fact, HIPAA was lenient on many facets of healthcare insurance and protected health information.
To restructure the policies and reinforce the necessity for protecting patient’s records, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) was put into law.
HITECH, like HIPAA, had a few primary purposes:
- Adoption of electronic health records: Part of HIPAA related itself to the adoption of new computer technology and electronic health records. Remember that HIPAA was created in 1996, in the early years of the dot-com era and the meteoric rise of computer usage. By 2009, this digitization of health records needed to happen, or else US healthcare would fall behind other countries.
- Close the loopholes within HIPAA: The fact that business associates of HIPAA-covered entities weren’t held to the same standards was only one loophole of HIPAA. HITECH reinforced the language of HIPAA, making data breaches public and security protocols stringent.
- Toughen the penalties for noncompliance: As a final point to the bill, HITECH needed to enact stricter penalties for organizations that did not comply with HIPAA policies and appoint an entity (the Office of Civil Rights) to enforce those penalties. Before, the penalties for certain errors were light, and there was little incentive for healthcare organizations to change internal policies.
Rise of Electronic Health Records and ePHI
Perhaps the most impactful implication of HITECH was the surge of electronic health records after 2009. Prior to HITECH’s enactment, there was an estimated 10% of hospitals and healthcare organizations that had adopted EHRs.
To put this into perspective, the first iPhone was released in 2007. People had access to the internet in their pockets while 90% of hospitals were recording and filing all patient information and medical records by hand.
HITECH’s harsher penalties ensured healthcare organizations adopted EHRs, and within eight years (2017), between 86%-96% of all hospitals were now using them.
Tougher Penalties for HIPAA Violations
The reason HITECH had the impact that it did was because of how it reshaped the penalty and fine infrastructure of HIPAA. Before, healthcare organizations could claim that they were unaware of the sanction and be fined $100 per violation, up to $25,000 maximum. As anybody who has ever seen a medical bill knows, this price tag is less than a slap on the wrist; it’s a disappointed tsk tsk.
What’s worse is that business associates could claim this same negligence and avoid penalties altogether. On top of all this, the funding from the HHS to sue these organizations to recover the fines was limited, allowing many organizations to get away scot-free.
With HITECH came a budget of $25 billion to achieve its goals — more than enough to reshape the healthcare landscape and put in place real restrictions.
New Penalty System
The new HITECH penalty system works on a four-tiered system. Its penalties differ based on the organization’s willingness to change internal policies and whether or not the organization could have been aware of the sanctions — this was defined under “willful neglect.”
- Tier 1 – If the healthcare organization or business associate of a HIPAA-covered entity was unaware of the violated rule and wouldn’t have known about the violated rule with due diligence and exercises change within 30 days, the penalties include:
- $100 – $50,000 per violation
- $1.5M maximum accrued fees per year
- Tier 2 – If there is reasonable cause that the healthcare entity or associate could have known about the violated rule with due diligence, the penalties include:
- $1,000 – $50,000 per violation
- $1.5M maximum accrued fees per year
- Tier 3 – If the healthcare organization was aware of the violated rule and ignored it — constituting willful neglect — but corrects the mistake within 30 days, the penalties include:
- $10,000 – $50,000 per violation
- $1.5M maximum accrued fees per year
- Tier 4 – When there is willful neglect of the violated rule, and no effort is made to change internal policies, the penalties include:
- $50,000 per violation
- $1.5M maximum accrued fees per year
HIPAA Privacy Rule and Security Rule
Protected health information is the substance with which the HIPAA Privacy Rule and HIPAA Security Rule operate around. These rules, in a general view, provide organizations with guidelines for implementation and operations to follow.
- Security Rule – This rule sets in place administrative, physical, and technical safeguards that establish national standards for all healthcare organizations. This also comes with requirements for risk assessment and risk management of compromised health information.
- Privacy Rule – This rule outlines the proper use and disclosure of PHI and ePHI. It establishes the regulations around the protection of medical records and all 18 protected health information identifiers.
Breach Notification Rule
When a data breach occurs and patient health records are exposed to unknown entities, HITECH also imposes strict guidelines for healthcare organizations to follow. These are outlined in the HIPAA Breach Notification Rule and involve notifying the individuals affected and certain media outlets when the breach reaches a certain volume.
What Health Information is Not “Protected”
As a final note: Not all health information is PHI. For example, many applications and devices are now being marketed to measure certain biometrics — think wristbands that record heart rate or blood pressure. If the company is not a HIPAA-covered entity or a business associate of a HIPAA-covered entity, this information is not protected.
Instead, these companies place under the “Terms of Service” what they can and cannot use your personal data for.
Is Your Organization Protected?
To ensure that your security system is fully operational and protecting patient’s ePHI, you need to be HIPAA and HITECH compliant. If you want to avoid the hefty fees and penalties associated with the Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule, consider the experts at RSI Security.
United States Census Bureau. Health Insurance Coverage: 1995. https://www.census.gov/library/publications/1996/demo/p60-195.html
HHS. Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#coveredentities
HIPAA Journal. What is the HITECH Act? https://www.hipaajournal.com/what-is-the-hitech-act/
HIPAA Journal. What are the Penalties for HIPAA Violations? https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
HHS. The Security Rule. https://www.hhs.gov/hipaa/for-professionals/security/index.html
HHS. The HIPAA Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
HHS. HITECH Breach Notification Interim Final Rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification/laws-regulations/final-rule-update/hitech/index.html