A new technological era is upon us. Over the last 25 years, the meteoric rise of computers, smartphones, and other electronic devices have infused our world with a new sense of possibility. With it comes the need for higher security measures and data protection. That holds double for the healthcare industry.
With the type of information stored away in electronic health records (EHRs), healthcare organizations have a responsibility to secure the sensitive information provided by their patients. And according to the Health Insurance Portability and Accountability Act (HIPAA), signed into law in 1996, they do. It’s called protected health information (PHI).
But what is protected health information? And how does it differ from consumer health information (CHI), another term thrown around the health-tech sector? For everything you need to know, read ahead.
Back to the Basics: Definitions
Before diving into the details of both PHI and CHI, let’s start by breaking each one down by definition.
- What is PHI? Protected health information is a term used within HIPAA to denote the personal information of patients that must be protected. By defining what constitutes PHI, it’s easier to create rules regarding its security, privacy, and exchange with other healthcare providers and business associates.
- What is CHI? Consumer health information is a term used in the health and technology sector. This is health-related data about the consumer provided by devices or applications on their smartphones. This information is not protected outside of a company’s terms and conditions unless it is sold to or given to a HIPAA-covered entity.
A key deciding factor whether information is considered protected health information or consumer health information is by the involvement of a HIPAA-covered entity. Thus, it’s best to define exactly what that entails before moving forward.
HIPAA-covered entities are health plans, healthcare clearinghouses, or healthcare providers that transmit information regarding the health or healthcare of a patient for which the Department of Health and Human Services have standards.
This could include, but is not limited to:
- Private physicians
- Academic medical centers or teaching hospitals
- Healthcare providers
- Health insurance companies
- Government programs like Medicare or Medicaid
- Business associates of the above
What is Consumer Health Information?
It’s time to take a deeper dive into exactly what CHI is and what some examples are. Two common ways consumer health information can be seen in today’s landscape are through:
- Wearable devices and apps
- Genetic testing companies
Wearable Devices and Apps
Athletic wearables on the arm are as commonplace as headphones are in the ears. Start looking at people’s wrists, and you’ll notice these everywhere. Fitbits, Apple Watches, and other wearable devices are constantly computing health information from heart rate to glucose levels to blood pressure.
These values are tracked on an app where the consumer has access to days, weeks, or months of data on their health. This is consumer health information.
Unfortunately, the information available is not limited to just the consumer; the company that makes the product also has access to the CHI if stated in their “Terms of Service.”
Genetic Testing Companies
Another common form of consumer health information that has arisen in recent years is genetic information. Consumer genetic testing has gained popularity, with 2017 alone contributing over 12 million new tests. Again, the Terms of Service determine how this consumer health information is used and protected.
Terms of Service
At this point, a difference should be noted between PHI and CHI. While PHI has federal regulations about the distribution and use of personal data (through HIPAA’s Privacy and Security Rules noted below), CHI depends only on the specific company’s ToS.
- Pro Terms of Service – The consumer has the ability to see exactly how their private health data is being used — for better or worse.
- Con Terms of Service – Unfortunately, most people are numb to the extensive ToS that come with every new application and device. This means most ToS go unread, allowing companies to explicitly state that they have the right to share and sell your consumer health information.
This type of leniency doesn’t hold when it comes to government-protected data, as seen through PHI.
What is Protected Health Information?
Protected health information is more complex by nature because its definition is tangled in the healthcare system and healthcare laws. In essence, PHI consists of medical records, insurance information, and payment history. When looking at a medical record, for example, there are 18 different identifiers that will constitute the document as protected health information.
The full list of identifiers can be found in HIPAA under the Health and Human Services.
Where HIPAA Comes In
PHI is the currency that makes HIPAA’s economy work. Protecting sensitive patient information is part and parcel to why HIPAA was enacted in the first place. Although, in 1996, it was unclear about the technological challenges that healthcare organizations were going to face in the 2000s.
Since then, data security frameworks and information technologies have popped up to curb data breaches. To ensure that healthcare organizations were keeping up-to-date with the advancement of security protocol, another bill was brought into law in 2009: The Health Information Technology for Economic and Clinical Health Act (HITECH)
HITECH brought with it upgraded policies, stricter penalties, and legislative glue to seal open loopholes. It was a boost to HIPAA in four ways:
HIPAA Privacy Rule
The Privacy Rule is a measure to define what is protected health information and how it can be used and exchanged between healthcare organizations and business associates. What followed from this rule is the “Minimum Necessary Rule.” When exchanging information, the electronic health records must disclose the minimum necessary ePHI for the intended purpose.
This means that when insurance policies need to make a judgment on an individual’s policy, they can’t request all the information on that patient (which could reveal reasons why that person is a high-risk policy).
The Privacy Rule is also what provides patients the legal right to access their electronic health records and to obtain an electronic copy.
HIPAA Security Rule
While both the Privacy Rule and Security Rule both interplay on the disclosure of PHI, the Security Rule is what designates the boundaries and safeguards organizations must follow. To begin, the Security Rule is broken up into three categories of safeguards:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
These work to restrict the access to PHI from physical and cyber-attacks; ensure PHI is not destroyed or altered without the proper regulations; track when and how PHI is accessed and by whom. Because technology is always changing, the idea behind these safeguards is to stay “technology-neutral” by focusing on the protection of PHI — instead of putting restrictions on specific devices that may go out of date.
For example: Cloud technology has benefited companies with large data expectations (companies like hospitals and healthcare organizations). It also provides an entry point for possible data breaches. For the HIPAA Security Rule to keep up-to-date, they must ensure that any and all technology that houses PHI — in this case, cloud storage — are protected or face penalties. Thus, hospitals are free to adapt to the market, but they must ensure that they do it safely.
HIPAA Breach Notification Rule
In the case of a data breach, HIPAA also provides strict guidelines for healthcare organizations following the breach. When there is unauthorized access to PHI by third-parties, malware and ransomware attacks, or employees, this constitutes a data breach.
- Notifying Affected Individuals – Whenever a patient’s PHI was accessed, used, disclosed, or acquired by an unauthorized party, the healthcare organization (or business associate) must notify the affected individual within 60 days. This can be done through first-class mail, or email if the individuals prefer electronic communication. The letter must explain what information was stolen or exposed and what the organization is doing to limit a repeat breach. It must also provide instructions on how to best protect the individual further.
- Notifying the HHS – When the number of individuals impacted is over 500, the HIPAA-covered entity must notify the Secretary of the Department of Health and Human Services within 60 days. When the number of individuals impacted is less than 500, they have until 60 days prior to the end of the calendar year.
- Notifying the Media – When the number of individuals impacted is over 500, the entity must also notify a prominent media source within the affected area. For example, if the hospital is located in Denver, Colorado — the report must be made to a Denver-specific or Colorado-specific news outlet. They cannot report to a Miami newspaper.
- Posting the Breach on the Website – If 10 or more affected individuals do not have up-to-date contact information in their current medical records, then the entity must provide notice of the breach on their website and have a link directed to the notice on their homepage.
The penalties of breaking the Breach Notification Rule (or the Privacy and Security Rules) are detailed and enforced by the HIPAA Enforcement Rule.
HIPAA Enforcement Rule
When HIPAA-covered entities and their business associates are noncompliant, the HIPAA Enforcement Rule is what determines the extent of the penalties accrued and who enforces them.
- Penalties – There are four penalty tiers associated with noncompliance. Each tier’s maximum penalty fine per year is $1.5 M.
- Tier 1: Fines between $100 and $50,000 per violation – When the healthcare organization or business associate were unaware of the HIPAA violation.
- Tier 2: Fines between $1,000 and $50,000 per violation – When the healthcare organization or business could have been aware of the HIPAA violation, but the instance was not considered willful neglect.*
- Tier 3: Fines between $10,000 and $50,000 per violation – When the healthcare organization or business associate willfully neglected the HIPAA sanction but imposed new internal policies within 30 days to correct the mistake.
- Tier 4: Fines of $50,000 per violation – When the healthcare organization or business associate willfully neglected the HIPAA sanction and did not impose new policies.
- Enforcement – The Office of Civil Rights (OCR) is in charge of auditing entities and enforcing the regulations and penalties listed above. Before HITECH, the HHS struggled to punish organizations that failed to be HIPAA compliant. HITECH increased the budget to $25B, giving the OCR the resources it needed.
*Willful Neglect – Defined as when a healthcare entity knew about a given HIPAA regulation and ignored it; or when a healthcare entity should have known about a given HIPAA regulation with due diligence.
How Does HIPAA Affect Consumer Health Information?
In short, it doesn’t. Because consumer health information is defined by data not shared with or given to HIPAA-compliant entities, the rules don’t affect it. This comes with its benefits and downsides.
- Pro for businesses: Less red tape for tech companies – The fact is, startup companies already find themselves surrounded by restrictions and regulations that make it tough to compete with large, established companies. By separating consumer health information and protected health information, you allow companies to provide consumers with health information without the hassle of healthcare red tape.
- Con for consumers: Privacy isn’t protected – With companies like 23andMe, who now have access to and records of tens of millions of people’s genetic codes around the world, you’d hope that the privacy of the consumer is the top priority, but it’s not. In fact, many genetic testing companies fail baseline international transparency standards when it comes to consumer data privacy.
Privacy and Security: The Future of Healthcare Data
While consumer health information is only as protected as the “Terms of Service” allow, the same is not true for HIPAA-protected healthcare data. PHI is currently under heavy protection, although there are increasing threats. Each new technology and device that enters the healthcare space is another access point for hacking, phishing, and ransomware.
To keep your organization’s data secure, many are turning to HITRUST CSF — a security framework that ensures HIPAA and HITECH compliance. By using a framework that acts as personal audit insurance and allows new regulations to be implemented seamlessly, HIPAA-covered entities don’t have to worry about the increased penalties and fines.
If you want to ensure your organization and patients’ PHI is secured, talk to the experts at RSI Security today!
NIH. To Whom Does the Privacy Rule Apply and Whom Will It Affect? https://privacyruleandresearch.nih.gov/pr_06.asp
MIT Technology Review. 2017 was the year consumer DNA testing blew up. https://www.technologyreview.com/s/610233/2017-was-the-year-consumer-dna-testing-blew-up/
HHS. Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#coveredentities
Forbes. The Privacy Delusions Of Genetic Testing. https://www.forbes.com/sites/realspin/2017/02/15/the-privacy-delusions-of-genetic-testing/#33431b751bba