HIPAA, short for the Health Insurance Portability and Accountability Act, is a legal standard that was initially enacted in 1996 to protect the privacy and security of patients' health information. However, not all information is covered. Only protected health information (PHI), also sometimes referred to as personal health information, is protected under federal law.
Though HIPAA is considered the most important law that oversees the regulation of PHI in the US, it is intentionally vague in regards to not just what measures each healthcare facility or business associate must take to protect PHI, but also how it is defined. The law defines PHI as all data that relates to:
● A patient's past, present, or future health
● The provision of healthcare to patients
● A patient's payment for the healthcare that he or she receives
According to HIPAA, any data that falls into these three categories must be protected both while it is in transit via services like cloudfax for healthcare and while it's at rest. It's also relevant to note here that HIPAA covers not just healthcare facilities like hospitals and clinics but also any other organization that handles PHI. Whether you work for a long-term care facility or a payment processor that provides patient billing services, it's worth taking the time to familiarize yourself with how PHI is defined and what steps your organization must take to protect it.
HIPAA's Information Identifiers
In an effort to further clarify what should be considered PHI, HIPAA lists 18 information identifiers that indicate data that should be given a protected status when it is paired with health information. Some of the identifiers can be considered PHI on their own, while others must be combined with additional identifying information. The official list of information identifiers includes:
- Patients' names
- Home addresses
- Dates related to individual patients
- Phone numbers
- Fax machine numbers
- Email addresses
- Social Security numbers
- Patients' medical record numbers
- The beneficiary numbers for health plans
- Patients' account numbers
- Providers' certificate or license numbers
- Identifying information about vehicles
- Identifying information about devices
- Web URLs
- IP addresses
- Biometric identifiers
- Photographs that contain identifying characteristics
- Other unique characteristics
Some of these forms of data, such as Social Security numbers or biometric identifiers, can be used to identify patients by themselves. Others must be combined with additional items to allow unauthorized persons to identify a patient. However, all of this data should be protected to ensure patients' privacy and data security.
Entities That Must Protect PHI
Covered entities are individuals or organizations that must follow HIPAA regulations, including the protection of PHI. Any person, business, or other organization that handles PHI is generally categorized as a covered entity and must follow both the security and privacy rules laid out in HIPAA.
Anyone could guess that both healthcare providers and insurers are covered entities. However, HIPAA's privacy and security rules also apply to all of these covered entities' business associates that handle PHI on their behalf. Examples of covered business associates can include health information exchanges, claims processing companies, hospital consultants, and even independent medical transcriptionists.
Any partner of a healthcare provider or insurer must sign a HIPAA business associate agreement. This agreement legally binds the partner to following HIPAA's Privacy and Security Rules and makes them subject to HIPAA audits, which are usually conducted by the US Department of Health and Human Services. Any covered entity or business associate that is determined to have violated HIPAA regulations can face steep fines, so it's always best to err on the side of caution.
Allowable Disclosure of PHI
Allowable disclosures of PHI are defined in HIPAA's Privacy Rule. The Privacy Rule stipulates that PHI may be disclosed only to ensure a patient's health and safety or after a patient has given consent to share the information.
Patients are also welcome to release their PHI for research purposes or when changing to a different doctor or healthcare network. Patients can offer informal consent or denial to disclose PHI to facility directories, members of the clergy, and for the notification of relatives and friends.
HIPAA also allows PHI to be disclosed without an individual's permission for 12 different reasons associated with the public good. A patient's PHI may be partially disclosed when:
- It's required by law.
- Authorized public health authorities need the information to prevent or control disease, injury, or disability.
- Government authorities need information about victims of domestic violence, abuse, or neglect.
- Health oversight agencies request the information for authorized purposes such as audits or investigations.
- It's in response to a court or administrative tribunal order, a subpoena, or another lawful process.
- It's required to enforce the law under certain circumstances.
- The patient dies and a funeral director, coroner, or medical examiner needs to identify the deceased.
- To facilitate cadaveric organ, eye, or tissue donations.
- Certain researchers request the information for authorized purposes.
- A serious threat to health or safety to the patient or the public requires the disclosure of PHI.
- PHI must be released to facilitate essential government functions.
- Workers' compensation laws or other programs require the release of PHI.
In most cases, only limited forms of PHI can be disclosed without a patient's consent, even when one of the situations above applies. The Privacy Rule limits the use of PHI and its disclosure to the minimum necessary to meet any of the requirements listed above. It's rare for a patient's entire medical record to be disclosed for a specific purpose.
Incidental Disclosure of PHI
HIPAA acknowledges that it's not always possible to prevent incidental disclosure of PHI. If PHI is disclosed accidentally as a result of another permitted disclosure, it wouldn't be considered non-compliant behavior on behalf of a covered entity. For example, if a business associate attends a meeting in a doctor's office for an allowable disclosure of PHI and sees a person he or she recognizes waiting for care, that's considered an incidental disclosure and neither the physician nor the business associate will face negative consequences.
It's still important for all of the employees working for covered entities to take care not to accidentally disclose PHI. The Security Rule requires the defense of PHI against reasonably anticipated threats. Information security officers need to implement not just technical safeguards for digitally transmitted or stored data, but also physical and administrative safeguards, which must include people-based approaches to security such as ongoing PHI awareness training.
Common Misconceptions About PHI
HIPAA was initially drafted in 1996 when most PHI was still stored and transmitted using paper documents. However, it still applies equally to digital data, which has created some misconceptions. It's common for business partners of healthcare providers to be confused about how they are supposed to handle PHI, for example. Even if a business partner handles only limited PHI, it's still responsible for following HIPAA's Privacy and Security Rules.
There are also some misconceptions regarding the Privacy and Security Rules. Many people assume that they always work together, so following one will automatically mean that the company is compliant with both. In fact, it's often the case that companies put security restrictions in place that fail to fully protect patient privacy. Failing to have all partners that handle PHI sign business associate agreements is the most common example.
Frequently Asked Questions About PHI and HIPAA Compliance
HIPAA's rules and regulations can be a bit complex, and its definition of PHI isn't exact. The lack of exact definitions and specific steps to take shouldn't be interpreted as an excuse for exercising leniency in the protection of PHI, though.
It's up to the security officers working for covered entities to get a good grasp on what PHI is, how it can be used appropriately, and how it should be protected to ensure HIPAA compliance, but all employees should receive training about how to handle PHI. Before starting employee training sessions, read on to find answers to some frequently asked questions that you'll almost certainly need to answer during the Q&A.
What's the Difference Between PHI and PII?
The difference between PHI and PII is that PHI (Protected Health Information) is used in a healthcare context, while PII (Personally Identifiable Information) is used outside of that context. The term Individually Identifiable Health Information (IIHI) is sometimes used to replace PHI, as well, since they mean the same thing.
Does PHI Have to Definitively Identify a Patient to Be Protected?
PHI does not have to definitively identify a patient to be protected. Any combination of identifiers is considered an example of PHI under HIPAA, even if that combination could apply to dozens of people.
Why Are Email Addresses Considered PHI Identifiers?
Email addresses are considered PHI identifiers even when they don't contain the patient's name because it's easy to look people up using their email addresses. Even if a reverse lookup tool doesn't provide an individual's name, chances are, an unauthorized party could still find out enough about the patient to determine who he or she is.
Protect Data in Transit and at Rest
Protecting data at rest is a task that can usually be handled in-house by your company's information security officer. However, HIPAA also requires all covered entities to take reasonable steps to prevent PHI losses and unauthorized access while data is in transit. The best way for you to protect PHI while it's in transit is to partner with a specialized company like mFax that already has advanced safeguards in place to ensure HIPAA compliance.