HIPAA, short for the Health Insurance Portability and Accountability Act, is a legal standard that was initially enacted in 1996 to protect the privacy and security of patients’ health care information. However, not all information is covered. Only protected health information (PHI), also sometimes referred to as personal health information, is protected under federal law.

Though HIPAA is considered the most important law that oversees the regulation of PHI in the US, it is intentionally vague in regards to not just what measures each healthcare facility or business associate must take to protect PHI, but also how it is defined. The law defines PHI as all data that relates to:

●      A patient’s past, present, or future health

●      The provision of healthcare to patients

●      A patient’s payment for the healthcare that he or she receives

According to HIPAA, any data that falls into these three categories must be protected both while it is in transit via services like cloudfax for healthcare and while it’s at rest. It’s also relevant to note here that HIPAA covers not just healthcare facilities like hospitals and clinics but also any other organization that handles PHI. Whether you work for a long-term care facility or a payment processor that provides patient billing services, it’s worth taking the time to familiarize yourself with how PHI is defined and what steps your organization must take to protect it.

HIPAA’s Protected Health Information Identifiers

In an effort to further clarify what should be considered PHI, HIPAA lists 18 information identifiers that indicate data that should be given a protected status when it is paired with health information. Some of the identifiers can be considered PHI on their own, while others must be combined with additional identifying information. The official list of information identifiers includes:

1. Patients’ names

2. Home addresses, including street address and ZIP codes

3. Dates related to individual patients, including birth date and admission date

4. Phone numbers

5. Fax machine numbers

6. Email addresses

7. Social Security numbers

8. Patients’ medical record numbers

9. The beneficiary numbers for health plans, including health insurance beneficiary numbers

10. Patients’ account numbers

11. Providers’ certificate or license numbers

12. Identifying information about vehicles, including identifiers and serial numbers

13. Identifying information about devices

14. Web URLs, including web universal resource locators

15. IP addresses

16. Biometric identifiers

17. Photographs that contain identifying characteristics

18. Other unique characteristics, including unique identifying number

Some of these forms of data, such as Social Security numbers or biometric identifiers, can be used to identify patients by themselves. Others must be combined with additional items to allow unauthorized persons to identify a patient. However, all of this data should be protected to ensure patients’ privacy and data security.

Covered Entities That Must Protect PHI

Covered entities are individuals or organizations that must follow HIPAA regulations, including the protection of PHI. Any person, business, or other organization that handles PHI is generally categorized as a covered entity and must follow both the security and privacy rules laid out in HIPAA. Covered entities must ensure that only the minimum amount of PHI necessary is used, shared, and disclosed to protect patient privacy.

Anyone could guess that both healthcare providers and insurers are covered entities. However, HIPAA’s privacy and security rules also apply to all of these covered entities’ business associates that handle PHI on their behalf. Examples of covered business associates can include health information exchanges, claims processing companies, hospital consultants, and even independent medical transcriptionists.

Any partner of a healthcare provider or insurer must sign a HIPAA business associate agreement. This agreement legally binds the partner to following HIPAA’s Privacy and Security Rules and makes them subject to HIPAA audits, which are usually conducted by the US Department of Health and Human Services. Any covered entity or business associate that is determined to have violated HIPAA regulations can face steep fines, so it’s always best to err on the side of caution.

Allowable Disclosure of PHI

Allowable disclosures of PHI are defined in HIPAA’s Privacy Rule. The Privacy Rule stipulates that PHI may be disclosed only to ensure a patient’s health and safety or after a patient has given consent to share the information.

Covered entities must have actual knowledge of the potential for remaining data to be combined with other information, thereby allowing identification of an individual, which impacts the standards for retaining or suppressing personal identifiers in health information.

Patients are also welcome to release their PHI for research purposes or when changing to a different doctor or healthcare network. Patients can offer informal consent or denial to disclose PHI to facility directories, members of the clergy, and for the notification of relatives and friends.

HIPAA also allows PHI to be disclosed without an individual’s permission for 12 different reasons associated with the public good. A patient’s PHI may be partially disclosed when:

1. It’s required by law.

2. Authorized public health authorities need the information to prevent or control disease, injury, or disability.

3. Government authorities need information about victims of domestic violence, abuse, or neglect.

4. Health oversight agencies request the information for authorized purposes such as audits or investigations.

5. It’s in response to a court or administrative tribunal order, a subpoena, or another lawful process.

6. It’s required to enforce the law under certain circumstances.

7. The patient dies and a funeral director, coroner, or medical examiner needs to identify the deceased.

8. To facilitate cadaveric organ, eye, or tissue donations.

9. Certain researchers request the information for authorized purposes.

10. A serious threat to health or safety to the patient or the public requires the disclosure of PHI.

11. PHI must be released to facilitate essential government functions.

12. Workers’ compensation laws or other programs require the release of PHI.

In most cases, only limited forms of PHI can be disclosed without a patient’s consent, even when one of the situations above applies. The Privacy Rule limits the use of PHI and its disclosure to the minimum necessary to meet any of the requirements listed above. It’s rare for a patient’s entire medical record to be disclosed for a specific purpose.

Incidental Disclosure of PHI

HIPAA acknowledges that it’s not always possible to prevent incidental disclosure of PHI. If PHI is disclosed accidentally as a result of another permitted disclosure, it wouldn’t be considered non-compliant behavior on behalf of a covered entity. For example, if a business associate attends a meeting in a doctor’s office for an allowable disclosure of PHI and sees a person he or she recognizes waiting for care, that’s considered an incidental disclosure and neither the physician nor the business associate will face negative consequences.

It’s still important for all of the employees working for covered entities to take care not to accidentally disclose PHI. The Security Rule requires the defense of PHI against reasonably anticipated threats. Information security officers need to implement not just technical safeguards for digitally transmitted or stored data, but also physical and administrative safeguards, which must include people-based approaches to security such as ongoing PHI awareness training.

De-identification of Protected Health Information

De-identification of protected health information (PHI) is a critical process that involves removing or altering identifying details from PHI to ensure it can no longer be linked to an individual. This process is essential for protecting patient privacy and complying with the HIPAA Privacy Rule.

There are two primary methods for de-identifying PHI: Expert Determination and Safe Harbor. The Expert Determination method requires a person with appropriate expertise to apply statistical and scientific principles to ascertain that the risk of re-identification is very small. On the other hand, the Safe Harbor method involves removing 18 specific identifiers, such as names, dates, addresses, Social Security numbers, and medical record numbers, from the PHI.

De-identification is crucial for various purposes, including research, public health activities, and healthcare operations. It allows the use of health information without compromising patient privacy. However, it is vital to ensure that the de-identification process is performed correctly to maintain data integrity and prevent re-identification.

Breach Reporting

Breach reporting is the process of notifying individuals and the Department of Health and Human Services (HHS) when there is a breach of unsecured protected health information (PHI). A breach is defined as any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy.

Covered entities and business associates must report breaches of unsecured PHI to the affected individuals and HHS. Notifications must be made within 60 days of discovering the breach and should include:

• A description of the incident, including the date of the breach and its discovery.

• Details about the types of unsecured PHI involved.

• Information on what the covered entity or business associate is doing to investigate the breach, prevent future breaches, and mitigate any harm caused.

• A statement that individuals can obtain a copy of the notice by contacting the covered entity or business associate.

Breach reporting is essential for maintaining transparency and accountability. It also helps protect individuals from potential harm resulting from the breach.

Importance of Protecting Medical Records

Protecting medical records is paramount for maintaining patient privacy and confidentiality. Medical records contain sensitive information, such as diagnoses, treatments, and personally identifiable information. Unauthorized access or disclosure of medical records can compromise patient privacy and potentially cause harm.

The HIPAA Privacy Rule mandates that covered entities implement administrative, technical, and physical safeguards to protect medical records. This includes ensuring that only authorized individuals have access to medical records, using secure electronic systems for storing and transmitting medical records, and implementing policies and procedures to prevent unauthorized access or disclosure.

Protecting medical records is also crucial for maintaining trust between patients and healthcare providers. Patients need to feel confident that their medical information is secure and will not be shared without their consent. By safeguarding medical records, healthcare providers can maintain patient trust and ensure high-quality care.

In addition to protecting patient privacy, safeguarding medical records is essential for maintaining the integrity of the healthcare system. Medical records are used to make informed decisions about patient care, and unauthorized access or disclosure can compromise the accuracy and reliability of these decisions.

Overall, protecting medical records is vital for maintaining patient privacy, confidentiality, and trust. It is also crucial for ensuring the integrity of the healthcare system and providing high-quality patient care.

Common Misconceptions About PHI

HIPAA was initially drafted in 1996 when most PHI was still stored and transmitted using paper documents. However, it still applies equally to digital data, which has created some misconceptions. It’s common for business partners of healthcare providers to be confused about how they are supposed to handle PHI, for example. Even if a business partner handles only limited PHI, it’s still responsible for following HIPAA’s Privacy and Security Rules.

There are also some misconceptions regarding the Privacy and Security Rules. Many people assume that they always work together, so following one will automatically mean that the company is compliant with both. In fact, it’s often the case that companies put security restrictions in place that fail to fully protect patient privacy. Failing to have all partners that handle PHI sign business associate agreements is the most common example.

Frequently Asked Questions About PHI and HIPAA Privacy Rule Compliance

HIPAA’s rules and regulations can be a bit complex, and its definition of PHI isn’t exact. The lack of exact definitions and specific steps to take shouldn’t be interpreted as an excuse for exercising leniency in the protection of PHI, though.

It’s up to the security officers working for covered entities to get a good grasp on what PHI is, how it can be used appropriately, and how it should be protected to ensure HIPAA compliance, but all employees should receive training about how to handle PHI. Before starting employee training sessions, read on to find answers to some frequently asked questions that you’ll almost certainly need to answer during the Q&A.

What’s the Difference Between PHI and PII?

The difference between PHI and PII is that PHI (Protected Health Information) is used in a healthcare context, while PII (Personally Identifiable Information) is used outside of that context. The term Individually Identifiable Health Information (IIHI) is sometimes used to replace PHI, as well, since they mean the same thing.

Does PHI Have to Definitively Identify a Patient’s Medical Records to Be Protected?

PHI does not have to definitively identify a patient to be protected. Any combination of identifiers is considered an example of PHI under HIPAA, even if that combination could apply to dozens of people.

Why Are Email Addresses Considered PHI Identifiers?

Email addresses are considered PHI identifiers even when they don’t contain the patient’s name because it’s easy to look people up using their email addresses. Even if a reverse lookup tool doesn’t provide an individual’s name, chances are, an unauthorized party could still find out enough about the patient to determine who he or she is.

Protect Data in Transit and at Rest

Protecting data at rest is a task that can usually be handled in-house by your company’s information security officer. However, HIPAA also requires all covered entities to take reasonable steps to prevent PHI losses and unauthorized access while data is in transit. The Safe Harbor method also requires that any geographic unit formed, such as ZIP codes, must include more than 20,000 people to be considered non-identifiable. The best way for you to protect PHI while it’s in transit is to partner with a specialized company like Documo that already has advanced safeguards in place to ensure HIPAA compliance.

Such geographic units must meet specific population criteria to avoid revealing individual identities, thereby ensuring compliance with privacy standards.