Understanding What is and Is Not PHI
For 2022 Rules for Healthcare Workers, please click here.
For 2022 Rules for Business Associates, please click here.
Between 2010 and 2015, criminal data attacks in the healthcare industry leaped by 125%. Protected Health Information (PHI) now fetches between 20 and 40 times more than financial information on the black market (1). Does that come as a surprise? Indeed, protected health information is a lucrative business on the dark web. This should certainly make us more than a little anxious about how we manage our patient’s data. Ask yourself, “Do my team and I correctly understand what constitutes PHI and what my responsibilities are?” It would be wise to take a few minutes to ensure that you know and comply with the government requirements on PHI under HIPAA.
What Is PHI Under HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) catered initially to health care insurance for the unemployed. It has evolved further within the past decade, granting patients access to their own data. HIPAA also carefully regulates the coordination of storing and sharing of this information. Technological advances such as the smartphone have contributed to the evolution of the Act as more personal information becomes available. The amended HIPAA rules maintain sensible regulations coupled with security relating to PHI. Specific PHI Identifiers Broadly speaking, PHI is health or medical data linked to an individual. This information must have been divulged during a healthcare process to a covered entity. There are currently 18 key identifiers detailed by the US Department of Health and Human Services. They are (2):
- Identifying geographic information including addresses or ZIP codes
- Dates (except for the year) that relate to birth, death, admission, or discharge
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate numbers
- Vehicle identifiers such as license plate numbers
- Device identifiers and serial numbers
- Web addresses (URLs)
- IP addresses
- Biometric data such as fingerprints or retina scans
- Full face images
- Any other information that could potentially identify an individual
Interestingly, protected health information does not only include patient history or their current medical situation. It also comprises future health information such as treatment or rehabilitation plans, future psychological health provisions, and prognoses (2). We can understand how this information in the wrong hands can impact a person’s family, career, or financial standing. So, the protection afforded under HIPAA must be applied to the future medical affairs of all individuals.
What Format Does PHI Take?
The term ‘data theft’ immediately takes us to the digital realms of cybercrime. While online data breaches are certainly the preferred collection method for data thieves, PHI itself can take many forms. As a rule of thumb, any information relating to a person’s health becomes PHI as soon as the individual can be identified. This means that electronic records, written records, lab results, x-rays, and bills make up PHI. A verbal conversation that includes any identifying information is also considered PHI. What is ePHI? Is there a difference between ePHI and PHI? ePHI refers specifically to personal information or identifiers in electronic format. The HIPAA Security Rule protects the storage, maintenance, and transmission of this data. Thus, ePHI consists of data within emails, stored in the cloud, on a physical server, or in an electronic database (1,2). However, digital media can take many forms. Within ePHI we can add to this list external hard drives, DVDs, smartphones, PDAs, USBs, and magnetic strips. It is wise to offer frequent cyber-security courses to make staff aware of how cybercriminals can gain access to our valuable data. We should be sure to maintain a safe online environment to avoid phishing or ransomware, and ensure that passwords are strong and frequently changed to avoid compliance violations.
What Is Not Considered PHI?
Not all health information is protected health information. The list of identifiers included in PHI is comprehensive, but not all patient data falls under this banner. It’s worth noting that it depends largely on who accesses the health information as to whether it is PHI. HIPAA regulations apply to Covered Entities (CE) and their Business Associates (BA). Should personal health information become available to them, it becomes PHI. The same information when handled by an organization that is neither a CE nor a BA is not considered PHI (1,2).
As technology progresses and the healthcare industry benefits from big data, other pieces of information are frequently collected and used, for example, in health statistics. Mobile health tracking apps on smartphones or on wearable devices can collect enormous amounts of data on an individual. This could include blood pressure, heart rate, or activity levels. If this information is collected or stored by the manufacturer of the product or the developer of the app, this would not constitute PHI (3). But, if a healthcare organization collects this same data, then it would become PHI. It then falls within the privacy protection of the HIPAA.
Employee records do not fall within PHI under HIPAA. Even within a hospital or clinic which may hold information such as blood types of their staff, this is excluded from protected health information (4).
As with employee records, some personal health information such as allergies or disabilities are maintained but do not constitute PHI (4).
Outside of Healthcare
Personal identifiers linked to health information are not considered PHI if it was not shared with a covered entity or a business associate (4).
Within a medical practice, would the name and telephone number of a potential patient who calls in for an appointment be considered PHI? No, it would not as no medical information is associated with this person. This changes once the individual becomes a patient and medical information on them is collected. As soon as the data links to their name and telephone number, then this information becomes PHI (2). Simply put, if a person or organization stores, accesses, or transmits identifying information linked to medical information to a covered entity or business associate then they are dealing with PHI and will need to be HIPAA compliant (2).
Who Is Subject to PHI Regulations Under HIPAA?
When discussing PHI within healthcare, we need to define two key elements. What is the difference between covered entities and business associates? This information will help us to understand the roles and responsibilities therein.
Persons or organizations that provide medical treatment, payments, or operations within healthcare fall under the umbrella of covered entities. This would include (2):
- Healthcare providers
- Health insurance companies
- Medical Aid organizations
- Nursing homes
We would also see healthcare programs overseen by the government in this list, as well as any agencies that offer home care.
Strictly speaking, business associates are not necessarily involved directly in the healthcare industry. They do, however, have access to protected health information during the course of their business. By way of example, business associates would include (2):
- Vendors that store, transmit, or document PHI electronically or otherwise.
- Developers that create apps or software which accesses PHI.
- Any person or organization that provides a product or service to a covered entity and involves access to PHI.
Covered entities should have bullet-proof Business Associate Agreements in place which will serve to keep both parties safe and on the right side of the law.
It falls to both covered entities and business associates to take every precaution in maintaining the security and integrity of the PHI in their care. With so many methods of transmission, it’s no wonder that the HIPAA Privacy Rule has comprehensive checks and balances in place. To remain compliant, you would need to set up and maintain their specific requirements pertaining to the administration as well as the physical and digital protection of patient data. Whatever your business, an investment in security is never a wasted resource. Therefore, pay careful attention to solutions that will prevent data loss and add extra layers of encryption. Consider too, the many remote workers in today’s economy. We may find that our team may access PHI from personal devices. If this is the case, then it would be a smart move to explore software that can allow secure and monitored access to your data from these external devices.
When Is PHI Disclosure Required?
With cybercrime on the rise, any suspected PHI violation will come under careful scrutiny and can attract hefty fines (in the millions of $ USD). While we’d all rather err on the side of caution when it comes to disclosing protected health information, there are times when PHI can (or must) be legally divulged. These include (2):
- When a patient requests access to their own information.
- When required by the Department of Health and Human Services in the case of an investigation.
- When required by law.
- When used by a covered entity for its own operational interests.
- When an individual is infected or has been exposed to COVID-19. This must be reported to public health authorities.
There’s no doubt that big data offers up some incredibly useful information. Should an organization wish to use PHI for statistics, for example, they would need to make use of de-identified PHI. In this case, the data used must have all identifiers removed so that it can in no way link an individual to any record. It is then no longer considered PHI (2).
What Can PHI Be Used For?
For those of us lacking in criminal intent, it’s worth understanding how patient data can be used for profit. This knowledge can make us that much more vigilant when it comes to this valuable information.
As an industry of an estimated $3 trillion, healthcare has deep pockets. This makes it the perfect target for extortion. Under the threat of revealing protected health information, criminals can demand enormous sums of money. This is from both organizations and individuals.
Healthcare is a highly regulated industry which makes many forms of identity acceptable for credit applications. Even something as simple as a Social Security number can pave the way to a fake ID. This easily results in a shattered credit record or reputation for the victim. It takes time to clean up personal records after identity theft, and in some cases can plague the victim for years.
Black Market Medications
Saying that the illegal market for prescription drugs is massive is a gross understatement, making a ‘valid’ health card the perfect tool to obtain certain medications. Unregulated black-market products can sell for hundreds of times their actual value and are quickly sold. Some pharmaceuticals form the foundation of dangerous street drugs. This makes these raw materials both valuable and highly sought after.
Where there is a buyer there will be a seller. Some criminals choose to simply sell the personal data that they have obtained to their crooked peers. Others will sell this information back to unsuspecting businesses. With the global crackdown on the distribution and use of personal information, a business can find themselves in hot water if they make use of this hacked data.
PHI in Practice
How can we ensure that our staff and vendors are HIPAA compliant and adhering to the stringent requirements of PHI? Certainly, the price of a data breach can cripple an organization from a financial or a reputational perspective – or both. Without a doubt, regular training courses for healthcare teams are essential. There is simply no room for ignorance in this space, and the responsibility rests squarely on the organization to ensure compliance. Staying on the right side of the law is easy with the comprehensive courses offered through HIPAA Exams. Talk to us today to book a training course for perfect PHI compliance. Sources:
- Criminal attacks in healthcare are up 125% since 2010. Help Net Security. Published May 7, 2015. Retrieved Oct 6, 2022 from https://www.helpnetsecurity.com/2015/05/07/criminal-attacks-in-healthcare-are-up-125-since-2010.
- Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. U.S. Department of Health and Human Services. Published May 31, 2022. Retrieved Oct 6, 2022 from https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html.
- The HIPAA Compliance of Wearable Technology. BlogMD. Published Jan 16, 2019. Retrieved Oct 6, 2022 from https://www.micromd.com/blogmd/hipaa-compliance-of-wearable-technology.
- What is Considered PHI under HIPAA? HIPAA Journal. Published Jan 28, 2022. Retrieved Oct 6, 2022 from https://www.hipaajournal.com/considered-phi-hipaa.
For 2022 Rules for Healthcare Workers, please click here.
For 2022 Rules for Business Associates, please click here.