Protected Health Information – what is it and why is it important especially in this digital age? In the U.S., the law that regulates privacy standards in the healthcare industry is called HIPAA. HIPAA is the acronym for the Health Insurance Portability and Accountability Act and was established in 1996.
With the advent of computer systems, it became clear that digital records will play a vital role in storing health data, and additional provisions were required to ensure health security. Now, unless you have not been living under the rocks, you should know that compliance with the HIPAA law is all about ensuring the confidentiality, integrity, and availability of Protected Health Information, more commonly known as PHI. Most rules and instructions in the HIPAA law revolve around protecting PHI.
But what is PHI? Why’s it important to know about PHI for achieving compliance with HIPAA? Let’s find out.
What is Protected Health Information?
Any personal health information that can potentially identify an individual is Protected Health Information (PHI). The information may have been created, used, or disclosed when receiving healthcare services during treatment or diagnosis. PHI includes:
- Individual’s past, present, or future physical health or condition
- Healthcare services rendered to an individual
- Past, present, or future payment for the healthcare services rendered to an individual, along with any of the identifiers discussed below.
Simply put, personally identifiable information that appears on medical records and conversations with Doctors and Nurses is PHI. It also includes billing information as well as any information in the health insurance company’s records that can be used to identify an individual.
You will find PHI in a variety of documents, forms, and communications. For example, it can be in the prescriptions, doctor or clinic appointments, X-Ray results, billing information, phone records, or any other records of communications, such as telehealth sessions with your doctors or healthcare personnel.
Health Records in Electronic Format: ePHI
The HIPAA Security Rule deals with electronic protected health information (ePHI). ePHI means that the health record is in an electronic form like a computer or digital file. The HIPAA Security Rule is the first to describe ePHI, and organizations had to implement administrative, technical, and physical safeguards to secure electronic health records. ePHI can be found in hard drives, computers, flash drives, shared in emails, or many other various forms.
The key difference between the HIPAA Privacy Rule and The HIPAA Security Rule is that the privacy rule applies to all forms of PHI that already exist or will ever exist in the future. The security rule, however, only applies to electronic protected health information (ePHI).
What is considered PHI?
Under HIPAA, there are 18 identifiers for PHI. Any records that contain one or more of the 18 identifiers are considered to be PHI. If the identifiers are removed from these records, it will no longer be considered as PHI. There is also a process of removing identifiers from PHI known as de-identification. The information will no longer be under restrictions defined by the HIPAA Privacy Rule. These 18 identifiers are:
- Full names or last name and initial
- All geographical identifiers smaller than a state,
- Dates related to the individual such as birthdays or treatment dates
- Phone Numbers including area code
- Fax number/s
- Email address/es
- Social Security number
- Medical record numbers
- Health insurance beneficiary numbers
- Bank Account numbers
- certificates/drivers license numbers
- Vehicle identifiers (including VIN and license plate information)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including fingerprints, voiceprints, iris patterns, etc.
- Full-face photographs and any comparable images that can identify an individual
- Unique code-based or characteristics numbers
What is not considered to be PHI?
Information that is created or maintained for employment-related purposes is not PHI, for example, employee health records. Health data that cannot be used to identify an individual do not qualify as PHI. For example, temperature scans, blood sugar readings, or heart rate monitor readings.
Why is PHI so sought by criminals?
PHIs are highly sought by criminals. There have been too many accounts of healthcare data breaches in the past few years, and the numbers only keep rising. Cybercriminals have also racked up their attacks with more sophisticated approaches. To deal with this problem, the HIPAA Safe Harbor bill was passed into law early this year to encourage healthcare providers for stronger cybersecurity practices.
Breaches to PHI can be worse than financial frauds, and it can even take months or years before they are detected. Studies show that PHI records are worth over $250 each, whereas financial records are worth $5.40 per record. When financial data are stolen, they must be used quickly to take advantage of. For example, you can cancel your credit card as soon as you become aware of the theft.
On the other hand, PHI has a longer shelf life than financial records. With all the rich information that is available within PHI, thieves can commit various kinds of fraud, starting from medical identity thefts to even blackmail.
HIPAA and PHI
To protect PHI, you should have a good understanding of HIPAA. HIPAA does not only aim to protect patients’ PHI but also the healthcare providers by enabling them to implement various security safeguards and develop comprehensive privacy policies and procedures. Employee training on how to handle PHI is also essential.
With a good understanding of the HIPAA law, compliance does not have to be stressful. Many progressive healthcare providers also make use of HIPAA compliance management applications to streamline their efforts. That said, you must always conduct due diligence before opting for such solutions.