When ensuring HIPAA compliance, it is vital to understand what is considered PHI, or Protected Health Information under HIPAA. Where HIPAA is concerned, it is essential that your patient private information, or PPI, is safe and secure. Read on to find out what counts as PHI under HIPAA so you can remain compliant and protect your patients. Show
Quick Recap: What is HIPAA?Before we break down what protected health information PHI is protected under HIPAA, let’s quickly recap what HIPAA, or the Health Insurance Portability and Accountability Act, even is. Passed in 1996 by the U.S. Congress, HIPAA was designed to increase patient access to health insurance while simultaneously ensuring that their health information privacy was being handled properly by their healthcare providers. Moreover, HIPAA allowed for standardization of certain bureaucratic processes that helped streamline the healthcare industry in the last two decades of its implementation. For more information on HIPAA and your rights under HIPAA, Check out this other blog by our experts at RSI Security to learn more. Why Be HIPAA Compliant?Achieving HIPAA compliance is essential for any business that wishes to become a leader in the healthcare industry. Not convinced? Here are some of the many benefits of being HIPAA Compliant:
Assess your HIPAA / HITECH compliance What is Protected Health Information (PHI)?PHI held by covered entities of HIPAA falls under federal protections by the HIPAA Privacy Rule, which entitles patients to several rights with respect to their health care information, while also disclosing enough personal health information to allow covered entities to provide patients with adequate and informed care. According to HIPAA, protected health information PHI is any information that can personally identify an individual patient, according to a variety of identifiers. This can be information on an individual’s past, present, or future health status that is collected, maintained, transmitted, or created by covered entities, relating to use in healthcare operations and billings. The following information falls under PHI:
The following information does NOT fall under PHI:
PHI is considered any physical record associated with these types of information, while ePHI consists of any electronic record of patient private healthcare information. HIPAA Privacy RuleProtected health care information is protected under the HIPAA Privacy Rule, which maintains strict guidelines for disclosing PHI during patient care as it is being stored and processed. The Privacy Rule details comprehensive administrative, physical, and technical measures to ensure the integrity and confidentiality of patient PHI. This allows for a balance to be achieved between effective communication around patient care and privacy of PHI/PPI. For more detailed information on the HIPAA Privacy Rule, check out our other blog on its Top 5 Components. For now, here’s a short refresher:
More on ePHIAny PHI that is transmitted, stored, received, or created electronically is considered Electronic Protected Health Information (ePHI). Unlike PHI, which is covered under the HIPAA Privacy Rule, ePHI guidelines are found in the HIPAA Security Rule. Media used to store ePHI includes:
Transmission methods of ePHI include:
Electronic PHI can be protected using certain administrative, technical, and physical safeguards that include implementing firewalls and other cybersecurity methods to secure digital data storage locations, keeping physical storage devices locked away, and only allowing limited access to data to specific employees on a need-to-know basis. HIPAA Security RuleThe HIPAA Security Rule applies specifically to ePHI but shares many overlaps with the HIPAA Privacy Rule. Similar to the Privacy Rule, it requires extensive tracking, documentation, and reporting when managing, processing, or transmitting ePHI. Data and Cloud Storage for ePHIHIPAA regulation considers data storage companies Business Associates (BAs), which accounts for physical and digital data storage including cloud service providers even if said providers never access the ePHI they are storing. To manage these relationships, covered entities must write up Business Associate Agreements (BAAs) with their BAs to “clearly delineate liability in the event of a data breach,” as well as define any administrative, physical, or technical safeguards needed to maintain PHI integrity. The 18 Identifiers that Define PHIWith the main components and implications of HIPAA laid out, we can now explore exactly what information is considered Protected Health Information under HIPAA. Understanding what falls under PHI is extremely vital because any violation of HIPAA Privacy and Security Rules can lead to financial or even legal penalties, and claiming ignorance of HIPAA law is not considered a valid defense. As previously mentioned, PHI is any health information that can identify an individual patient. According to HIPAA regulations, PHI is any information that has one or more of the following 18 identifiers:
Please note that if information is stripped of these identifiers, it is then considered de-identified and is therefore no longer subject to HIPAA Privacy Rule restrictions. De-identification of Private Health Information PHIShould a covered entity wish to conduct studies using large data sets of medical data, the process of de-identification of data is necessary to ensure HIPAA Compliance while supporting the use of data for policy assessment, scientific research, and comparative effectiveness studies. The HIPAA Privacy Rule, though strict, recognizes the immense benefit of using widespread health information for scientific inquiry and thus permits a covered entity or BA to use de-identified data for said purposes. The HIPAA Privacy Rule dictates two de-identification methods to turn PHI into usable data that is no longer restricted or protected under HIPAA: The “Expert Determination” MethodThis method states that the covered entity may only determine health information as individually un-identifiable if:
The “Safe Harbor” MethodThis method states that the covered entity may consider the information de-identified if the 18 identifiers associated with PHI are fully removed from the desired information. This includes the information of relatives, household members, or employers of the individual. Re-Identified InformationIn order to prevent data loss in the process of de-identification, the covered entity can implement re-identification methods to re-identify PHI for future use. The re-identification process entails assigning a code or other means of identification to information being de-identified, provided that:
How to Treat Patient Protected Health InformationUnder the HIPAA Security Rule, it is expected that covered entities protect PHI against reasonably anticipated security threats. Covered entities are therefore required to implement safeguards to ensure the integrity, confidentiality, and availability of PHI. The technological, physical, and administrative methods to implement such safeguards are not specified by HIPAA and are therefore designed at the discretion of the covered entity.
How RSI Security Can HelpAchieving compliance with cybersecurity industry standards may seem difficult, but it doesn’t have to be. RSI Security offers a wide variety of compliance validation guidance services that can help your organization meet the highest standards of cybersecurity compliance so you can focus on achieving your business goals and doing what you do best. If you are reading this blog, it is probably because your business is in the healthcare industry. Since that is the case, you know that personal health information is of the highest priority to running a company that ensures client satisfaction and stays far away from serious financial and legal repercussions. RSI Security offers a few services that will help carry your company to the next level of company reputation and customer satisfaction through HIPAA compliance:
Closing ThoughtsAlthough HIPAA compliance measures seem intimidating, with the help of RSI Security, compliance is not only possible – but painless. The first step of HIPAA compliance is having a clear understanding of what protected health care information is and how to manage it in a secure, private way – such that you are not in violation of the HIPAA Privacy and Security Rules. Continue reading our expert blogs at RSI Security and be sure to check out our compliance advisory services. This will provide in-depth guidance on HIPAA compliance for patient protection and satisfaction. Download Our Complete Guide to Navigating Healthcare Compliance WhitepaperNot sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email. Sources: HIPAA Journal. What is Considered Protected Health Information Under HIPAA? https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/ Compliancy Group. Protected Health Information: HIPAA PHI. https://compliancy-group.com/protected-health-information-understanding-phi/ HHS.gov. What is PHI? https://www.hhs.gov/answers/hipaa/what-is-phi/index.html HHS.gov. Methods of De-identification of PHI. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#protected RSI SecurityRSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA). What is considered protected health information?Protected health information (PHI), also referred to as personal health information, is the demographic information, medical histories, test and laboratory results, mental health conditions, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate ...
What are four kinds of information protected by HIPAA?What does HIPAA law protect?. Names.. Addresses (including subdivisions smaller than state such as street, city, county, and zip code). Dates (except years) directly related to an individual, such as birthdays, admission/discharge dates, death dates, and exact ages of individuals older than 89.. Telephone numbers.. Fax numbers.. What is included in protected health information under HIPAA quizlet?PHI(Protected Health Information)- All individual identifiable health information and other information on treatment or care that is transmitted or maintained in any form or medium(electronic, paper, oral.
What are 3 things HIPAA protects?General Rules
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and.
|