HIPAA governs and protects PHI, or Protected Health Information, which is individually identifiable health information. However, HIPAA was drafted almost twenty years ago, in an analog world of paper data and actual x-rays, when the iPhone wasn’t even a fantasy. As the healthcare industry continues to expand into new areas like health apps, genetic sequencing, release of information workflow process, and more, it can be difficult for developers to determine whether or not their products must adhere to HIPAA regulations by determining a clear definition of protected health information (PHI).
This article will discuss protected health information (PHI), what it isn’t, and how to identify it. With any luck, you can use this as a guide to figure out if the data you’re gathering constitutes PHI under HIPAA’s rules.
What is Protected Health Information?
The Health Insurance Portability and Accountability Act led to the term Protected Health Information (PHI). You can trust HIPAA to protect the confidentiality of your health records. To ensure HIPAA compliance, it is essential for healthcare professionals to understand PHI and the rules and regulations surrounding its protection.
Define PHI
Information about a patient that can be used to identify them, including data collected from medical records and communications between healthcare professionals (such as doctors and nurses), is considered protected health information and must be kept confidential. Health insurance records contain billing information and any other data that could be used to identify an individual.
If you are in the healthcare sector or hope to be, you may need access to PHI in order to assist patients with billing and collection issues, as well as to provide care. Taking the required precautions to protect protected health information (PHI) requires an understanding of what types of information fall under this category and why that information has to be protected.
Some Illustrations of PHI
Here are some real-world examples of protected health information. HIPAA compliance is mandatory if your company deals with any of the below information while providing a service to or on behalf of a covered organization.
- Patient names
- Ancestral names
- Email addresses
- Telephone and fax numbers
- Indicators of Social Security
- Data from Driver’s License
- IDs from the medical records
- Identifiers for financial accounts
- Participant Identification Numbers in Health Plans
- Certification/license numbers
- License plate numbers
- Dates — Including but not limited to those of birth, release, admission, and death.
- Serial numbers and other unique device identifiers
- Addresses on the Internet Protocol (IP) network
- Authentication by unique biological characteristics, such as fingerprints or voiceprints.
- Photos of the whole face or similar photos are acceptable.
- Street addresses, cities, counties, precincts, and typically zip codes and their corresponding geocodes are all considered addresses.
In practice, PHI can be found in a wide variety of media, including but not limited to the following:
Medical Records that Include Billing Info:
- An MRI scan
- Blood test results
- Transmission logs
- An email to the doctor’s office
- An email to the pharmacy asking for the medication you need
Data Examples That Do Not Contain Protected Health Information
Only specific details about an individual’s identity qualify as protected health information. Even though they may contain protected health information, employment records of a Covered Entity and Family Educational Rights and Privacy Act (FERPA) data do not qualify as PHI because they are not linked to health records that could endanger individual security.
In addition, not all medical data that is exchanged with a third party qualifies as Protected Health Information (PHI).
The number of steps recorded by a pedometer, the number of calories burned, blood sugar levels measured in the absence of identifying information (such as a user name or account number), and heart rate measurements made in the absence of such information all fall into the category of non-protected health information.
Protected health information (PHI) is easily identifiable if your product saves, records, or transmits the user’s personally identifiable health data to a covered institution.
You don’t need to be HIPAA compliant if you are developing a wearable device or app that collects health information but does not intend to share that information with a covered entity at any time.
Compliance with Privacy Laws When Handling PHI
To be in compliance with the HIPAA Privacy and Security Rules, healthcare providers must protect any electronic records or transmissions containing personal health information. These rules are there to keep our private information safe from intruders and data thieves. HIPAA compliance must be maintained at all times, and this requires constant vigilance for new regulations and the replacement of outmoded systems.
HIPAA’s Privacy and Security Rules mandate that healthcare providers employ best practices in three areas—administrative security, physical security, and technical security—to ensure the safety of their patients’ personal information.
Administrative Requirements
Irrelevant to whether or not an employee has access to protected health information (PHI), these obligations apply to all employees. This law mandates several stipulations, including the following:
- Physical security requirements
- A data breach response strategy
- An Evaluation of Data Security Every Year
- HIPAA education and training on the company’s unique security measures once a year
Any employee who breaks security policies will face repercussions
HIPAA’s physical security regulations aim to prevent the theft or loss of equipment containing medical records. These are some examples:
- Securing workstations that contain PHI
- Putting restrictions on facilities that house sensitive data, such as computers and servers
- Institutionalizing practices for the removal of equipment carrying protected health information
Conditions for Technical Safety
To prevent data breaches, organizations must implement certain technical measures for their networks and devices. There are several technical necessities for security, such as:
- Security measures that restrict access to protected health information to authorized personnel
- Safeguards for the transmission of protected health information through an electronic network
- Tools for keeping track of who has accessed which databases containing personal information
- Consistent safeguards against the loss, misuse, or unauthorized disclosure of protected health information
Having the appropriate personnel in place to keep healthcare data safe and easily available helps businesses comply with HIPAA regulations.
Methods For Meeting HIPAA Standards
HIPAA requires that you follow these regulations in order to be in compliance:
The HIPAA Security Rule specifies:
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
Health insurance companies, healthcare clearinghouses, providers of medical care, and their business associates are all subject to the requirements outlined in the HIPAA Privacy Rule, which were created to ensure the confidentiality of patient records.
Protecting the privacy, availability, and integrity of protected health information (PHI) in accordance with the HIPAA Security Rule necessitates giving due consideration to the aforementioned Physical, Technical, and Administrative protections. Requirements on how to implement each of these three safeguards are provided; some of these specifications are “mandatory”, while others are “addressable,” meaning they should be followed only when it is both reasonable and acceptable to do so (the choice must be documented).
Finally, if more than 500 patients are affected by the breach, you must inform the Health and Human Services (HHS), the public, and the media in accordance with the HIPAA Breach Notification Rule.
Final Thoughts
Now that you fully understand what PHI is and why it’s so crucial, you can go back and reevaluate the data you’re collecting to determine if you need to be HIPAA compliant. It’s best to practice caution while dealing with sensitive health information in light of the heightened emphasis on HIPAA violations, the huge fines connected with breaches, and the absence of a safe harbour clause for accidental PHI breaches.