What is Protected Health Information (PHI)?
The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 federal law that regulates privacy standards in the healthcare sector. In the early 1990s, it became clear that computers and digital records would play a large role in storing health data and that something should be done to protect sensitive information. Since 1996, Congress has passed additional laws to adapt HIPAA in accordance with new technological advancements. Today, the law serves the same purpose: to safeguard Protected Health Information in order to keep individuals safe.1
Most HIPAA rules and regulations revolve around protecting PHI. Therefore, understanding how to handle PHI is essential for achieving HIPAA compliance.
First, you need to know what PHI is; HIPAA defines Protected Health Information as any health-related information combined with a unique identifier that matches a particular individual.
Identifiers include, but are not limited to:
- Date of birth
- Social security number
- Email address
- Phone number
Consider other data elements that could be an identifier (and therefore Protected Health Information) which are often overlooked:
- MAC address of the network card on a device
- IP address of a device
- Driver’s license number
- Biometric data (fingerprints, retina scans, etc.)
- Medical record numbers
- Medical device serial numbers
- Health plan account numbers
- Dates of visits, admission, discharge, and treatment
- Diagnostic codes
If the data can be used to identify a patient, it should be considered a possible identifier and treated as Protected Health Information.
Protected Health Information includes information that is not current. For example, a hacker could use an old phone number or address to identify an individual. Put simply, Protected Health Information exists at the intersection between any kind of identifier and a piece of health information.
How Might I Come Into Contact with Protected Health Information?
Protected Health Information exists in multiple forms: electronic (ePHI), verbal, and written. The same standards of privacy apply to all types. Your job may require you to know and use someone’s PHI so they can pay for medical expenses or receive treatment. Everyone who interacts with PHI must understand how to protect it. Even the smallest slip-ups have the potential to cause a data breach.
When working with Protected Health Information, you should always observe the minimum necessary standard: use the minimum amount of PHI required to complete your task. In other words, it is important to keep the information you see to yourself; you may not discuss it with anyone, including co-workers.
The following members of your company are likely to see PHI: HR representatives, IT staff, health plan administrators, accounts payable, and company owners/executives. They must all use caution when handling this sensitive information.
If you see Protected Health Information exposed in your office, alert your Privacy Officer or Security Officer immediately.
Who is Protected by HIPAA?
HIPAA is a federal law that applies to everyone. Compromising anyone’s Protected Health Information is never acceptable or legal. All patients, employees, clients and others whose PHI is in your care have a right to have their personal health information kept private.
Who Needs to Comply with HIPAA?
All Covered Entities (including health care providers) must be HIPAA compliant. Covered Entities are businesses that provide their employees with health insurance plans and medical, dental and vision providers.
HIPAA also applies to their Business Associates and Business Associate Subcontractors. All of these entities will need to fill out a Risk Assessment, train employees, and create Security and Privacy Policies and Procedures.
Vendors and third-party companies who work for Covered Entities often come into contact with Protected Health Information. For example, accountants, attorneys, document shredding vendors, and IT vendors all qualify as Business Associates or Business Associate Subcontractors. They too must go through the process of becoming HIPAA compliant and securing Protected Health Information.
Therefore, if you work with any third party companies or vendors, you must have a signed Business Associate or Business Associate Subcontractor Agreement.
If a Business Associate or one of their Subcontractors compromises protected information and you do not have a signed agreement, you can be held liable for their mistake. Some companies sign a BAA without completing the HIPAA compliance process or ensuring that the other party has also done their due diligence. This can be a legal mess for both the Covered Entity and the Business Associate if there is a breach.
What are the Penalties for Violating HIPAA?
HIPAA violations occur when Covered Entities intentionally or unintentionally expose Protected Health Information, even if it occurs indirectly through a Business Associate or Business Associate Subcontractor.
There are consequences for employees and employers who violate the HIPAA law. Companies can be sued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and individuals could face fines ranging from $100-250,000 per violation and imprisonment for one to ten years for major violations.
Additionally, HIPAA requires all businesses that touch PHI to adopt sanction policies. According to the level of the violation, sanctions include letters of reprimand, suspension without pay, and/or dismissal from the workforce.
Good Habits for Keeping Protected Health Information Safe
When it comes to handling Protected Health Information, you can never be too careful. Adopt a clean desk policy to keep your workstation secure.²
Never leave your computer unlocked while you are away from your desk and store files in a secure place whenever you are not using them. Store physical documents containing sensitive information/PHI in a locked filing cabinet.
Obey your company’s policies and procedures, regardless of the amount of effort they require. These are in place to prevent data breaches, and they are only effective if everyone follows the rules. So, it is essential that you familiarize yourself with these procedures.
In conclusion, ignoring HIPAA rules about properly handling Protected Health Information puts you at risk for hefty fines, potential lawsuits, and bad publicity. Above all, your reputation depends on how well you serve those whose information you are meant to protect.