Most healthcare professionals understand many of HIPAA’s regulations are all about safeguarding protected health information (PHI), but there is much confusion in attempting to define what PHI actually is and is not. We all know that things like social security numbers and bank account information should be kept under lock and key but it’s not just the obvious details that could be used maliciously. These are only two examples of the 18 different identifiers that constitute PHI and all it takes is for just one to fall into thewrong hands for your practice to have a HIPAA breach on yours. So ensuring that you're fully safeguarding this sensitive data starts with having a complete understanding of what needs to be protected and knowing why it’s so important that you do.
What is PHI and ePHI?
PHI can be defined as any personal health data created, transmitted, received, or stored by a covered entity and their business associate (BA) that could potentially identify an individual. Now between the many documents, forms, records, and other communications that your practice handles on a daily basis - PHI is more than likely featured on most if not all of these things. As you probably already know, and the 86% of providers currently utilizing Electronic Health Records (EHR) can attest to, many of these communications are done so electronically and therefore contain electronically protected health information (ePHI). So whether the information is transferred, received, or simply saved on paper or in an electronic form - if it consists any of one of the following identifiers of PHI, it needs to be properly protected:
- Names (Full or last name and initial)
- Social Security numbers
- Phone numbers including an area code
- Email addresses
- Fax numbers
- Dates (other than year) directly related to an individual such as birthday or treatment dates
- Medical record numbers
- Bank account numbers
- Certificates/drivers license numbers
- Health insurance beneficiary numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal, and voice prints
- Full face photographs and any comparable images that can identify an individual
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
- And in most cases, any geographical identifiers smaller than a state, except for the initial three digits of a zip code
Why does it need to be protected?
So now that you know what fits the bill of PHI - it’s important to know why and how it should be protected. To hackers and other individuals with malicious intent, a healthcare practice containing patients' sensitive information is a gold mine considering a single medical record can be valued up to $250 on the black market. Now to put that into perspective, financial and banking information is only valued at $5.40 - so why such a large price tag on PHI? Well, unlike a credit card - if your sensitive health information gets into the wrong hands you can’t just cancel the card or change your information. Healthcare data breaches are hard to detect, and once that sensitive information is out there, it’s much more difficult to get back.
How should it be protected?
As you can see from the 18 identifiers listed above, PHI comes in many different shapes and sizes and requires more than just having locks on your doors and passwords on your computers to keep out of harm's way. HIPAA law outlines how PHI should be protected in it’s Security and Privacy rule requirements - providing administrative, technical, and physical controls that are all essential for securing patient data. While these safeguards help to protect PHI when it’s being stored and handled within your practice, encryption is key to maintaining data integrity when it’s being sent or received and proper disposal is crucial when the PHI is no longer needed.
So now that you know the what, why, and how - let’s talk about the who. With patient complaints and data breaches continuing to take on all time highs, it’s more important now than ever to ensure that everyone who works with your patients PHI is doing so properly. Best protecting your patients’ means conducting regular HIPAA training for all staff members, having signed business associate agreements with all third party vendors, and maintaining a complete compliance program that meets these government requirements and encompasses all the necessary safeguards.