Understanding What is and Is Not PHI

As a healthcare provider, you know how unnerving it can be to see the rising number of data breaches targeting protected health information (PHI). It doesn't matter how big or small your practice is—cybercriminals are constantly on the prowl, and your patients' data is at risk.

Failing to protect PHI can result in hefty fines, reputation damage, and shattered trust. And let's not forget that accidentally mishandling patients' sensitive information could also happen internally due to an insufficient understanding of HIPAA regulations.

Keep reading for more information on the intricacies of PHI, what falls within its scope, and what doesn't.

Understanding PHI Under HIPAA

So, first things first, what exactly is Protected Health Information (PHI)? In a nutshell, it's any personal health information that can be used to identify a patient. This isn’t just your medical records. It can be a broad swath of information like billing details, insurance data, or even conversations about your care that happen among doctors. All these are considered PHI once they can be tied back to you as an individual. Under HIPAA, this information needs to be kept private and secure, ensuring your confidentiality and peace of mind.

Which of the Following Would be Considered PHI?

Now that we have a basic idea, let's dive a bit deeper into what counts as PHI. Under HIPAA, certain key identifiers can classify information as PHI. This includes things like:

  • Names
  • Identifying geographic information, including addresses or ZIP codes
  • Dates (except for the year) that relate to birth, death, admission, or discharge
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate numbers
  • Vehicle identifiers such as license plate numbers
  • Device identifiers and serial numbers
  • Web addresses (URLs)
  • IP addresses
  • Biometric data such as fingerprints or retina scans
  • Full-face images
  • Any other information that could potentially identify an individual

In essence, if data can directly or indirectly lead someone back to you while relating to your health, most likely, it falls under PHI.

Forms of PHI

Protected Health Information (PHI) can exist in various formats. These include:

Electronic

Electronic Protected Health Information (EPHI) refers to any PHI that is produced, saved, transferred, or received in an electronic form. It includes:

  • Electronic medical records (EMRs): EMRs are patient health information created by providers and include medical history, diagnoses, medications, immunization dates, allergies, lab test results, and doctor's notes.
  • Health information exchanges (HIEs): HIEs are systems that share health-related information electronically across different healthcare information networks. These may include patient registries, prescription information, or disease management system records.
  • Billing and coding information: Often found in electronic health record (EHR) software, this includes information used for insurance claims, such as diagnoses and CPT codes.

Paper

PHI can also be found in printed form, such as:

  • Physical medical charts: These paper documents contain a patient's medical history, lab results, handwritten notes, and forms and may be kept in a patient's individual file or stored in a health information management system.
  • Printouts of lab results or images: These include blood tests, urinalysis, pathology results, X-rays, CT scans, or any other printed diagnostic images and their interpretations.
  • Prescription notes: Prescription notes are paper documents handed down by doctors that contain specific medicines prescribed to patients.
  • Insurance-related paperwork: Paperwork used during medical billing or sent to insurance companies that may contain diagnoses, treatment plans, or billing codes.
  • Invoices or financial records: These may contain procedures done, patient names, dates of birth, ages, etc.

Verbal

PHI can also be represented verbally in conversations between healthcare professionals. For example:

  • Doctor-patient consultations: A normally private interaction where sensitive health information is discussed. Ideally, these conversations are held in a private place.
  • Team meetings or rounds: In multidisciplinary team meetings or rounds, where care is coordinated, the patient's case is usually detailed extensively.

In summary, PHI is not restricted to one format and can exist across multiple mediums. Each form necessitates its own considerations for privacy and security.

What is Not Considered PHI Under HIPAA

While PHI covers a wide range of information, it's also essential to understand what is not considered PHI under HIPAA. Certain pieces of information can escape this classification, including:

  • De-identified health data: If information is stripped of specific personal identifiers and cannot be linked back to an individual, it is no longer considered PHI.
  • Employment records: Health information contained in employee records, like sick leaves, disability, or worker's compensation, is usually not regarded as PHI under HIPAA.
  • Education records: Health records protected under the Family Educational Rights and Privacy Act (FERPA), such as immunization records at a school, are typically not PHI.

Examples of Non-PHI

To better illustrate the difference between PHI and non-PHI, let's consider a few examples:

  1. A dataset of hospital visits without any personal identifiers like names, addresses, or Social Security numbers is considered non-PHI.
  2. A vaccination record that a university maintains for its students comes under FERPA protection, so it's not considered PHI under HIPAA.
  3. Employment-related health information, like an employee's annual medical checkup report, would not fall under PHI since it's part of the employment record.

Cases of PHI Misinterpretations

Errors in identifying what PHI is can lead to data breaches and HIPAA violations. Let's look at a few real-world instances where misinterpretations about PHI led to dire consequences:

  1. A group of surgeons discussed a patient's surgery in a crowded cafe, making the patient's health information publicly available. This would be considered a HIPAA violation.
  2. A healthcare provider mistakenly believed that sharing medical records without names made the data HIPAA compliant, but the records still contained other personal identifiers (such as addresses). Upon realizing the mistake, the provider faced severe financial penalties for a HIPAA violation.

The Consequences of Misclassifying PHI

Failing to correctly identify and handle PHI can result in significant consequences for organizations and individuals:

  1. Financial penalties: HIPAA violations can lead to hefty fines, depending on the severity and duration of non-compliance.
  2. Legal ramifications: In extreme cases, individuals responsible for HIPAA violations may face criminal charges or imprisonment.
  3. Reputation damage: Violating HIPAA can harm an organization’s reputation and erode public trust.

PHI Compliance: Best Practices

To ensure PHI is appropriately managed, and HIPAA compliance is maintained, here are some tips and guidelines to follow:

  1. Conduct regular staff training (at least every two years) on HIPAA regulations and the proper handling of PHI.
  2. Implement strong security measures, including encryption and multi-factor authentication, to protect electronic PHI.
  3. Limit access to PHI by adopting the principle of "minimum necessary" access for employees.
  4. Ensure proper disposal methods for both physical and electronic PHI.
  5. Establish breach notification procedures and responses in case of a data breach involving PHI.

When is PHI Disclosure Required or Allowed?

Protected Health Information (PHI) can only be disclosed under specific circumstances based on the HIPAA Privacy Rule.

HIPAA mandates that PHI should be disclosed in the following situations:

  1. When a patient requests access to their PHI: Covered entities, such as healthcare providers or health insurance companies, are required to allow individuals to inspect and obtain a copy of their PHI. These requests must be in writing, and the entity generally must respond. The time frame can depend on the state.
  2. When the Department of Health and Human Services (HHS) conducts a review or a compliance investigation or undertakes enforcement action: The HHS is authorized to access PHI to verify compliance with the HIPAA Privacy Rule.

Additional situations when PHI can be disclosed include:

  1. For Health Care Operations: Healthcare providers can share PHI with other covered entities or contractors, also known as "business associates," for the purposes of carrying out healthcare operations. Activities such as clinical quality assessment and improvement programs, patient safety activities, business planning, and development are classified as healthcare operations.
  2. When required by law: Covered entities may disclose PHI when required by laws, regulations, court orders, or subpoenas.
  3. With patient consent: If individuals are given advance notice of the use and disclosure of their PHI and are provided the opportunity to object or agree. This could be for purposes not directly related to their care, such as for marketing activities.

It is important to note that all of these disclosures must still adhere to the "minimum necessary rule," which dictates that covered entities disclose only the minimum necessary information to achieve their purposes.

Any disclosure outside of these conditions would generally require the patient’s explicit approval.

How is PHI Stolen?

Cybercriminals employ a variety of methods to steal Protected Health Information (PHI). Their tactics have evolved over the years, becoming more sophisticated and harder to detect. The techniques frequently used by these criminals include:

Phishing Attacks

Phishing is one of the most common tactics that attackers use to obtain PHI. These attacks generally involve sending deceptive emails that appear to come from reputable sources. The emails often contain links or attachments. When clicked or opened, they may install malware or lead recipients to fake websites where they are tricked into entering sensitive information.

Ransomware

Another popular method used by cybercriminals is ransomware attacks. Ransomware is a type of malicious software that encrypts a victim's files. The attackers then demand a ransom from the victim, promising -- not always truthfully -- to restore access to the data upon payment. These attacks can directly steal PHI or disrupt systems and services that maintain the confidentiality, integrity, and availability of PHI.

Man-in-the-Middle Attacks (MitM)

In this type of attack, the hacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other. This allows the attacker to steal PHI data during transmission.

Exploiting System Vulnerabilities

If a healthcare system has unpatched vulnerabilities or weak points, hackers can exploit them to gain unauthorized access to PHI. System vulnerabilities could be outdated software, unprotected devices connected to the network, or poorly configured security settings.

Data Breaches

Data breaches occur when secure or confidential information is copied, transmitted, viewed, stolen, or used by an unauthorized individual. These can happen due to malicious attacks, human errors, or system glitches.

After PHI is stolen, it may be sold on the dark web or used to commit fraud, including identity theft, health insurance fraud, and financial fraud. When considering the various ways cybercriminals can access PHI, it's clear that healthcare providers must be vigilant in protecting this sensitive information.

What May Happen When PHI is Exposed?

Unauthorized exposure of Protected Health Information (PHI) can have severe and far-reaching consequences. The implications of such breaches are multilayered and can involve legal, financial, and reputational harm to both healthcare providers and patients.

Patient Implications

For patients, the exposure of PHI can lead to identity theft. Cybercriminals may use their health information, combined with other personal data, to create or take over online accounts, apply for credit, or file false insurance claims. Furthermore, sensitive health information exposure can lead to embarrassment or emotional distress, particularly if it involves stigmatized health conditions or treatments.

Healthcare Providers and Organizations

For healthcare providers, the exposure of PHI can attract significant legal and financial liabilities, as HIPAA non-compliance comes with stiff penalties. Fines for HIPAA violations can range from $100 to $50,000 per instance or patient record, with a maximum potential of $1.5 million per year for each violation. In extreme cases, criminal charges can be brought against individuals responsible for the breaches.

The breach notification costs are another significant financial implication associated with PHI exposure. Under HIPAA, affected organizations are required to send notifications to the breached individuals, post a notice to their website, send a media notice, and notify the Secretary of HHS. In significant breaches affecting more than 500 individuals, they will also be required to provide notice to prominent media outlets in the state or jurisdiction. All these actions entail cost and manpower.

Reputational damage is another serious consequence for healthcare organizations. If an organization gets labeled as one incapable of protecting patient data, it may lose current patients' trust and find it hard to attract new ones. This could ultimately lead to losses in revenue.

PHI exposures can also lead to increased scrutiny from the Office for Civil Rights (OCR), which oversees HIPAA compliance. Organizations may be subjected to a time-consuming and costly compliance review or formal investigation.

In summary, exposure of PHI can have catastrophic consequences for all involved parties. It underscores the importance of healthcare organizations implementing robust data protection strategies and being vigilant in their compliance with HIPAA regulations.

Conclusion

Developing a solid understanding of Protected Health Information and its role under HIPAA is crucial for maintaining patient privacy and trust. By familiarizing yourself with the various aspects of PHI, potential misinterpretations can be avoided, and compliance can be ensured. As healthcare and technology evolve, staying aware and informed about PHI and HIPAA remains an essential responsibility for both healthcare providers and individuals alike.

HIPAA regulations may seem daunting, and the consequences of non-compliance can be catastrophic for healthcare providers. No matter how established your practice is, a single breach of patients' sensitive information can bring ruinous consequences.

With cyber-attacks and data breaches on the rise, you can't afford to have a patchy understanding of the ins and outs of HIPAA. Ignorance isn't bliss in this case— gaps in knowledge could inadvertently expose your practice to risks that could have been easily prevented.

Prevent any chance of HIPAA violations by signing up for a comprehensive HIPAA training program right away. Empower your team with the knowledge and confidence needed to effectively manage PHI, ensuring the safety and security of your patients' sensitive information. Act today and secure your practice's future!

For 2022 Rules for Healthcare Workers, please click here.

For 2022 Rules for Business Associates, please click here.