Listen to: "What Do We Mean by “Protected Health Information”?"
Often, when we discuss the sorts of data that need to be safeguarded, we’ll talk about Protected Health Information (PHI) as an example. To better understand what information needs to be protected and why, it’s good to understand exactly what Protected Health Information means. Here, we’ll explore the types of data that can be considered PHI, the reasons your organization needs to keep that information safe and the best ways to keep yourself compliant with the applicable standards, rules and laws.
What Is PHI?
PHI stands for “Protected Health Information.” ePHI is also often used, and refers to electron protected health information. You may also see the initialism used to mean “personal health information” or “personally identifiable health information,” although those uses are more colloquial than official. All protected data is information protected under the HIPAA Privacy Rule.
In the simplest terms, Protected Health Information is any information about a person’s health status, payment for care or provision of health care that can be connected to a specific individual. The Department of Health and Human Services has a definition that is even more to the point: PHI is any individually identifiable information that is maintained or transmitted in any form by a Covered Entity or that entity’s business associates.
What Kinds of Information Can Be PHI?
Protected health information includes any information that is uniquely identifiable. This information can include:
- Names. This includes first names, last names and maiden names. While it can be argued that any one of these alone may not be enough to uniquely identify someone, these are all factors that can be used in combination with other data for identification.
- Dates. This includes a range of dates significant in a person’s life such as dates of birth, death, marriage or the dates of specific treatments.
- Geographic locators. Zip codes, addresses and latitude and longitude are all included.
- Phone numbers, fax numbers and email addresses.
- Social security numbers.
- Account and medical record numbers.
- Driver’s license and license plate numbers.
- Serial numbers and other identifiers from medical devices.
- Biometric identifiers like fingerprints.
- Photographs, x-ray images and other similar images.
Sometimes, it comes down to information that, in combination with other identifiers, can make someone’s identity known. A single piece of information may be enough. For instance, if someone suffers from a very rare disease, their diagnosis alone can be a unique identifier. With a more common condition, several factors taken together can be uniquely identifying. While over 25 million Americans suffer from diabetes, for instance, a much smaller number of individuals with a specific first name in a specific zip code may be sufferers. Because of this, all of the applicable data should be protected.
Consequences of Disclosing PHI
Protecting private information is at the core of federal HIPAA regulations. Information about individual patients is vital to the advancement of medical research. However, protecting individuals’ privacy is also necessary for both the good of individual patients and for the continued trust in medical institutions.
Because of this, the US Department of Health and Human Services created the standards for privacy of personal health information under the Health Insurance Portability and Accountability Act of 1996. Failure to properly protect personal health information does not just have ethical consequences. Violations can cause significant costs for your organization. The penalties for failing to comply with HIPAA protection rules can range from $100 to $50,000 for each violation. The maximum penalty is $1.5 million per year for multiple violations of any identical provision. In the case of willful neglect, disclosure of PHI can even carry criminal charges that can result in jail time.
Protecting Sensitive Information
There are a number of safeguards that organizations should have in place to ensure that PHI is properly protected. Employee training is vital. All individuals who have access to PHI should understand which pieces of information are considered PHI and the best ways to safeguard this data.
Data that is stored on a device should be properly encrypted and safeguarded. This ensures that, in the case of theft of items like hard drives, laptops, mobile devices or other equipment, data is properly protected.
According to HHS, roughly two-thirds of PHI breaches involve business associates. This highlights the importance of choosing partners well and ensuring that they have all of the right protections in place.
These are processes which remove or change PHI elements so that the possibility of identifying an individual is eliminated or minimized. For instance, the first three digits of a zip code may be used in place of the full number. Or, instead of an exact age, an anonymous patient might be identified as being between the ages of 40 and 49, or under the age of 89.
In general, it is preferred under HIPAA to remove the common identifiers listed above. If another method is used, it is important to validate that the risk of re-identification is statistically small.
Designing HIPAA-Compliant Solutions
As stewards of sensitive information, it is vital that you ensure that information is properly protected. We have extensive experience ensuring that the protections that you have in place are adequately secure and properly implemented. Do you have questions about your handling of Protected Health Information? We can help. Get in touch for a consultation; call us at 215-675-1400 or submit a contact form today.