By Emily Heaslip (curled from Nightfall.ai)
For organizations that work in or partner with the healthcare industry, HIPAA compliance is of paramount importance. Keeping a patient’s medical records and personal information safe isn’t just a matter of avoiding penalties. It’s also key to building trust with patients and, ultimately, providing great patient care. Here’s what health organizations and their partners need to know about PHI and keeping it secure.
What is PHI?
PHI refers to Protected Health Information. PHI was established under the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA. HIPAA is a federal law that set forth nationwide standards designed to protect sensitive patient information from being disclosed without consent. Today, the US Department of Health and Human Services (HHS) enforces HIPAA.
Sometimes PHI gets mentioned in the same breath as PII. What is PHI and PII? PII refers to Personally Identifiable Information. This is any information that directly identifies an individual, such as a name, address, Social Security number, or even a telephone number. PII differs from PHI in that it is used outside a healthcare context.
Let’s dive deeper into what PHI is to understand if your organization collects this data — and how to protect it.
PHI vs. IIHI: What’s the difference?
Just to add another acronym into the mix, HIPAA’s regulations also govern something known as individually identifiable health information (IIHI). IIHI includes not only a person’s medical information but also their demographics. IIHI is protected under privacy laws. It includes any information that can reveal a patient’s identity, such as:
Have you seen this video?
- A patient’s past, present, or future medical condition;
- Healthcare treatment or services provided to the patient; or
- Past, present, or future payment for the provision of healthcare to a patient.
What’s the difference between IIHI and PHI? “All PHI is IIHI, but not all IIHI is PHI. This is because HIPAA does not protect all individually identifiable health information. The IIHI has to be transmitted or maintained in some form to be protected (PHI),” explained HIPAA Trek.
Fortunately, HIPAA also provides PHI identifiers to help business owners and healthcare providers understand exactly what makes a piece of information “identifiable” and subject to regulation.
There are 18 PHI identifiers that make medical information “identifiable” and traceable back to a specific individual. These identifiers are:
- Names (of patients, relatives, or employers)
- Social security numbers
- Device identifiers and serial numbers
- All geographic subdivisions smaller than a State
- Medical record numbers
- Web Universal Resource Locators (URLs)
- All elements of dates (except year) including birth date, admission date, discharge date, date of death; and all ages over 89
- Health plan beneficiary numbers
- Internet Protocol (IP) address numbers
- Telephone numbers
- Account numbers
- Biometric identifiers, including finger and voiceprints
- Fax numbers
- Certificate/license numbers
- Full face photographic images and any comparable images
- Electronic mail addresses
- Vehicle identifiers and serial numbers, including license plate numbers
- Any other unique identifying number, characteristic, or code
HIPAA’s regulations refer to two parties — a covered entity and a business associate — that are required to adhere to PHI compliance.
Covered entities are healthcare providers, health plans, or any other entity that creates, maintains, or transmits PHI during the normal course of business. “Employers – despite maintaining health care information about their employees – are not generally Covered Entities unless they provide self-insured health cover or benefits such as an Employee Assistance Program (EAP),” noted the HIPAA Journal.
Business associates are individuals or organizations that provide a service to a covered entity where successfully offering that service requires gaining access to PHI. Business associates could be lawyers, IT contractors, cloud storage services, or accountants.
Covered entities and business associates are the only two parties that should have access to PHI. A patient must authorize access to PHI for it to be used in any other way — such as for fundraising, marketing, or research purposes.
“Each covered entity is required to implement safeguards to prevent the unauthorized disclosure of PHI. These safeguards will vary depending on the size of the covered entity and the nature of healthcare it provides, but the penalties for failing to safeguard the integrity of PHI can be extremely high. Healthcare organizations that deliberately or negligently fail to adhere to HIPAA privacy laws can be fined up to $50,000 per offense per day,” wrote the HIPAA Journal.
How to protect PHI
Protecting PHI is important not only for HIPAA compliance but also for patient security. While HIPAA requires organizations to safeguard the confidentiality, integrity, and availability of PHI, there are few specifics in the HIPAA regulations as to how to go about securing patient information.
Most experts recommend taking a layered approach to securing PHI and meeting HIPAA compliance. This might include adding a firewall to prevent unauthorized users from accessing your network; a spam filter to block malware and phishing attempts; antivirus software; and data encryption on portable devices and on messaging platforms (like email).
A good strategy for meeting PHI compliance is to consider how data is protected at rest, in motion, and while in use. For instance, an organization should consider using extensive, encrypted backups to make sure stored patient information is never lost; multifactor authentication to ensure only authorized users are accessing data in use; and, encrypted HIPAA-compliant messaging platforms to secure data in motion.
As more and more covered entities and business associates use cloud programs, organizations must also consider how to protect PHI while using these types of platforms.
Nightfall is a cloud-native data loss prevention solution that provides data security for SaaS and cloud infrastructure platforms. By using machine learning detectors specifically tuned for PHI, Nightfall automates data security and sends an alert whenever PHI appears somewhere it shouldn’t, like an inappropriate Slack channel or the wrong S3 bucket. Nightfall is able to detect patient names, addresses, medical record numbers, Social Security numbers, as well as a number of industry codes like ICD, FDA, DEA, NPI, DOB, and more.
Learn more about organizations like Project N95, Simple Health, and Foresight Mental Health and how Nightfall has helped each of them ensure HIPAA compliance within the technologies they use. You can also have a look at our Guide to HIPAA Compliance Checklist, which details the questions you should ask covered entities who will be helping you handle ePHI.