What is Protected Health Information (PHI)?

Protected health information can be current, historical, or related to the patient’s medical future. For example, genetic tests indicating potential illness in the future would qualify. Data about physician visits from a decade ago also fall under the PHI umbrella.

Holders of Protected Health Information must follow HIPAA’s privacy and security requirements. The Department for Health and Human Services (HHS) publishes a range of standards. These standards govern how to handle PHI. Non-compliance with HHS standards leads to financial penalties or criminal prosecution.

Defining protected health information is a critical task for HIPAA compliance. This article will provide a comprehensive answer to the question of what protected health information is.

We will discuss why some information does not qualify as PHI. We will explore some examples of PHI disclosure. And we will finish with best practices to secure PHI according to HIPAA requirements.

What is considered personal health information?

Patients and healthcare providers must know what qualifies as Protected Health Information. You may also see PHI referred to as “personal health information”. Identifiers for both terms are identical.

In simple terms, PHI represents individually identifiable health information. PHI includes data that identifies patients and links their identity to medical data.

HIPAA PHI Identifiers

• Patient names
• Dates of procedures, tests, or consultations
• Locations of patients or healthcare professionals
• Phone numbers
• Email addresses
• Fax numbers
• Social Security Numbers
• Medical Record Numbers
• Health Plan Beneficiary Numbers
• Bank account numbers
• License or certificate numbers
• Unique device identifiers
• Vehicle registration codes
• Health website URLs
• Device IPs
• Biometric identification factors
• Facial photos
• Other unique identifiers associated with a patient

What is ePHI?

PHI is often called Electronic Protected Health Information (ePHI). The two classifications are closely related. The critical difference is that ePHI refers to digitally stored health records.

HIPAA recommends different compliance strategies to defend ePHI. Paper records require physical security controls and access rules. Digital databases require controls like encryption, network segmentation, firewalls, and multi-factor authentication (MFA).

Providers must also consider how ePHI is stored and transmitted. For instance, companies may backup medical records on magnetic tapes or portable drives. Organizations must secure and track these devices to ensure patient privacy.

Under HIPAA, a Covered Entity has three critical goals when handling ePHI.

• Privacy. Organizations must secure electronic health records from external attackers. They must protect data from unauthorized disclosure.
• Data integrity. Organizations must store digital health records according to HIPAA standards. Covered entities must limit access to individuals with a professional need to consult patient data.
• Access. HIPAA includes a Right of Access for patients. Organizations must make ePHI available to patients upon request.

What is not considered PHI?

Not all health-related information qualifies as “protected.” Healthcare organizations must share information to manage customer relationships and arrange treatment. Information sharing requires easy access to some forms of patient data. Examples of unprotected health information include:

• Anonymized health data. Large-scale data analysis requires vast amounts of accurate patient information. Regulations allow the use of de-identified information for data processing. This information lacks unique identifiers. Users should not be able to identify individuals associated with data records.
• Employment and education records. Information related to an employee health plan is usually not classed as protected health information. The same applies to health information relating to educational environments. For example, college or school nurse records may not fall under the protected category.
• Personal records. Patients may store health data on apps or smart devices. For instance, smartwatches can store data about sleep patterns and heart rate. This information would not fall under PHI.
• Research data. Data collected for academic research is not usually protected health information. This data is anonymized and aggregated. Research bodies should seek patient consent to gather information.
• Information shared with contacts. Patients may share private information with friends or relatives. If the recipient is not a HIPAA Covered Entity, this does not constitute protected health information.
  
  

Information not classed as PHI under the HIPAA Security Rule may still require protection. For example, the Family Educational Rights and Privacy Act (FERPA) protects health data stored by educational institutions. Healthcare organizations need to assess their compliance posture. They must determine which regulations apply to the data they hold.

What are incidental disclosures of PHI?

The most common compliance violation associated with Protected Health Information is incidental disclosure. Incidental disclosure occurs when a Covered Entity exposes PHI to unauthorized actors. Exposure is not deliberate, and disclosing PHI is not the aim of the individual at fault.

HHS often views incidental disclosure as a minor regulatory violation. HIPAA rules recognize that organizations cannot protect every item of Protected Information. Regulators tend to treat inadvertent data exposure leniently. However, the incident must meet several criteria before qualifying as “incidental.”

• Minimization. Covered Entities must seek to minimize the potential for incidental disclosure. Organizations must cut the amount of data exposed when carrying out professional duties.
• Security controls. Organizations must implement safeguards to protect PHI. The disclosure must occur despite the presence of compliant security controls and policies.
• Lack of intention. Disclosure must be completely accidental. There can be no intent to share PHI with outsiders.
• Limited scope. Information disclosure must involve a few records. HHS classes incidents involving many patients as regulatory violations. In those instances, intention does not matter. They usually result in penalties from the Office for Civil Rights (OCR).
  
  

A few quick case studies explain exactly what incidental disclosure means.

1. An employee at a HIPAA Covered Entity sends an email to a patient to schedule a future appointment. But the employee accidentally sends the message to an incorrect email address. The incident involves a single record, and there is no intent. This would qualify as “incidental” exposure.
2. A cosmetic clinic hires a specialist on a short-term contract. When they enter the waiting room, the specialist recognizes a friend. This exposes the identity of the patient and their treatment location. Both are examples of PHI. However, the specialist is a compliant Business Associate under HIPAA. Disclosure is accidental. So, there is no compliance violation.
3. A nurse is searching for a patient’s records on a healthcare database. They accidentally mistake another patient record for the one they seek. They also briefly learn details about the patient’s condition. Exposure is an accidental outcome of the nurse carrying out their legitimate duties. So, it qualifies as incidental disclosure.

Why do criminals seek access to PHI?

Individually, many PHI items are harmless and reveal little about their owner. Despite this, stealing consumer health information is a thriving industry. And there are several reasons why this criminal strategy makes sense.

Firstly, criminals can sell health records for a profit. Individual PHI records retail for around $1 per record. However, a complete patient health record can fetch as much as $250 on the Dark Web.

Individually identifiable health information also provides in-depth details about a target. Attackers can pose as clinical professionals and carry out phishing attacks. Emails or phone calls featuring confidential information are much more convincing.

Social security numbers and other unique identifiers enable criminals to steal identities. Attackers can create detailed imitations of actual individuals. They can use these profiles to get financial data. They can file illegitimate medical claims or access social media and email accounts.

PHI also makes it easier to execute blackmail attacks. Patients may not want to publicize details about their health. However, attackers can leverage personal knowledge to extract ransoms or demand additional information.

How should compliant organizations handle PHI?

HIPAA-Compliant organizations must follow the HIPAA Privacy Rule and the Security Rule. Simplify this challenge by dividing compliance into patient privacy and data security.

Patient privacy

• Organizations must notify patients about their privacy rights under HIPAA. Patients must know how their data is stored and processed. And they should have a clear route to request PHI from their healthcare provider.
• Patients should be able to request changes to their PHI if they discover inaccuracies.
• Healthcare providers must request consent when sharing PHI. This applies for reasons other than treatment, essential healthcare operations, and payment.
• During their operations, organizations must apply the “Minimum Necessary” rule. Every HIPAA Covered Entity must minimize its use of PHI.
• In the event of PHI exposure, HIPAA-compliant organizations must inform affected patients. And they should inform HHS according to the HIPAA Breach Notification Rule.
• Third parties handling PHI must sign Business Associate agreements. These agreements confirm that they are HIPAA compliant.
• Employees who handle PHI must receive privacy and security training.

Data security

• Healthcare organizations must create security policies to protect PHI. Policies should describe security controls and processes. Compliance teams should regularly review security policies to ensure they meet HIPAA standards.
• Every Covered Entity should secure PHI with encryption. Encryption applies to PHI during storage and transmission.
• Access controls and authentication systems should restrict unauthorized access to PHI. Only users with a professional purpose should gain access to protected information.
• Physical safeguards should protect PHI against theft, illegitimate access, and accidents or disasters.
• Companies must execute regular risk assessments to ensure that PHI is properly secured.

Best practices for protecting PHI

Meeting HIPAA requirements may seem complicated. Simplify the compliance challenge by following several best practices for handling healthcare data.

Document the location of PHI

Organizations can only protect PHI if they know its location and status. Create an inventory of all protected health information. This inventory is the foundation for applying security controls and managing access.

Audit your security processes

Carry out penetration testing to determine whether PHI is vulnerable to external attacks. Audit storage systems to ensure PHI is only accessible to authorized users. Evaluate staff training and breach notification procedures. And bring together the findings in a comprehensive data security audit.

Implement security controls

Use the audit document to make security controls compliant. Use secure encryption to defend PHI at rest. Put in place multi-factor authentication and access management to screen access requests. Block illegitimate users with firewalls and network segmentation. And protect data with anti-virus and malware scanning tools.

Document access to PHI

Log all access requests to protected health data. Organizations should be able to determine who has accessed health records. They should know when access occurred and what users did with the data.

Apply secure data retention policies

HIPAA compliance requires Covered Entities to retain PHI for at least six years. This begins when organizations generate patient records. However, be aware that state data retention rules vary. Some states require longer retention periods. Retain the minimum amount of PHI necessary. And use secure disposal procedures such as degaussing to destroy obsolete data.

Prepare for incidents with disaster recovery plans

Organizations need a clear incident recovery plan. This should cover cyber-attacks, natural disasters, and other data breaches. Assign employees to an incident response team. Schedule regular backups and test recovery processes regularly.

Ensure that you report incidents according to the HIPAA Breach Notification rule. Create procedures for staff to escalate alerts. And create a communication plan to inform key stakeholders. This should include regulators, internal managers, Business Associates, and patients.

Make data security part of every Business Associate agreement

When onboarding a new Business Associate, include strict requirements about protecting patient privacy and securing data. Choose compliant partners and carry out comprehensive risk assessments before commissioning services.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.