Protected Health Information (PHI): Everything You Need to Know about HIPAA and PHI
March 18, 2019
What is Protected Health Information (PHI)?
The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 law that regulates privacy standards in the healthcare sector. In the early 1990s, it became clear that computers and digital records would come to play a large role storing health data and that something should be done to protect sensitive information as technology changes the medical field. Since 1996, Congress has passed additional laws to adapt HIPAA to fit new technological advancements. Today, the law serves mostly the same purpose: to safeguard Protected Health Information (PHI) in order to keep individuals safe1.
Most HIPAA rules and regulations revolve around protecting PHI. Therefore, understanding how to handle PHI is essential for achieving HIPAA compliance.
First, you need to know what PHI is; HIPAA defines Protected Health Information (PHI) as any health-related information combined with a unique identifier that matches a particular individual.
Identifiers include, but are not limited to:
- Date of birth
- Social security number
- Email address
- Phone number
Consider other data elements that could be an identifier (and therefore Protected Health Information) which are often overlooked:
- MAC address of the network card on a device
- IP address of a device
- Drivers license number
- Biometric data (fingerprints, retina scans, etc)
- Medical record numbers
- Medical device serial numbers
- Health plan account numbers
- Dates of visits, admission, discharge, and treatment
- Diagnostic codes
If the data can be used to identify a patient, it should be considered as a possible identifier and treated as Protected Health Information (PHI).
Protected Health Information (PHI) includes information that is not current. For example, a hacker could use an old phone number or address to identify and individual. In its simplest form, Protected Health Information is the intersection between an identifier and health information.
How Might I Come Into Contact with Protected Health Information (PHI)?
Protected Health Information (PHI) exists in multiple forms: electronic (ePHI), verbal, and written. The same standards of privacy apply to all types. Your job may require you to know and use someone’s PHI so they can pay for medical expenses or receive treatment. Everyone who interacts with PHI must understand how to protect it. The smallest slip-ups have the potential to cause a data breach.
When working with Protected Health Information (PHI), you should always observe the minimum necessary standard: use the minimum amount of PHI required to complete your task. In other words, it is important to keep the information you see to yourself; you may not discuss it with anyone, including co-workers.
The following members of your company are likely to see PHI: HR representatives, IT staff, health plan administrators, accounts payable, and company owners/executives. They must all use caution when handling this sensitive information.
If you see Protected Health Information (PHI) exposed in your office, alert your privacy officer or security officer.
Who is Protected by HIPAA?
HIPAA is a federal law that applies to everyone. Compromising anyone’s Protected Health Information (PHI) is never acceptable or legal. All patients/employees have a right to have their personal health information kept private.
Who Needs to Comply with HIPAA?
All covered entities (including health care providers) must be HIPAA compliant. Covered entities are businesses that provide their employees with health insurance plans, medical, dental and vision providers.
HIPAA also applies to their Business Associates and Business Associate Subcontractors. They also must go through the process of becoming HIPAA compliant and securing Protected Health Information as well.
This includes filling out a Risk Assessment, training employees, and creating customer Security and Privacy Policies and Procedures. Vendors and third-party companies who work for Covered Entities often come into contact with Protected Health Information (PHI). For example, accountants, attorneys, document shredding vendors, and IT vendors all qualify as Business Associates or Business Associate Subcontractors.
Therefore, if you work with any third party companies or vendors, you must have a signed Business Associate or Business Associate Subcontractor Agreement.
If a business associate or one of their subcontractors compromises protected information and you do not have a signed agreement, you can be held liable for their mistake. Some companies sign a BAA without meeting the requirement of completing the HIPAA compliance process. This can be a legal mess for both the Covered Entity and the Business Associate if there is a breach.
What are the Penalties for Violating HIPAA?
HIPAA violations occur when Covered Entities intentionally or unintentionally expose Protected Health Information.
There are consequences for employees and employers who violate HIPAA law. Companies can be sued by the Office of Civil Rights and individuals could face fines ranging from $100 – 250,000 per violation and imprisonment for one to ten years for major violations.
Additionally, HIPAA requires all businesses that touch PHI to adopt sanction policies. According to the level of the violation, sanctions include letters of reprimand, suspension without pay, and/or dismissal from the workforce.
Good Habits for Keeping Protected Health Information (PHI) Safe
When it comes to handling Protected Health Information (PHI), you can never be too careful. Adopt a clean desk policy to keep your workstation secure. (1)
Never leave your computer unlocked while you are away from your desk and store files in a secure place whenever you are not using them. Store files containing sensitive information/PHI in a locked filing cabinet.
Obey your company’s policies and procedures, even if it requires putting in a little more effort. These are in place to prevent data breaches, and they are only effective if everyone follows the rules. So, familiarize yourself with these procedures.
In conclusion, ignoring HIPAA rules about properly handling Protected Health Information (PHI) puts you at risk for hefty fines, potential lawsuits, and bad publicity. Above all, your reputation depends on how well you serve your clients.