If you’re active in the US healthcare industry, you know the importance of HIPAA compliance regulation. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Security Rule and Privacy Rule amendments of 2003 were created to safeguard Protected Health Information (PHI).
This protection is achieved by enforcing a number of HIPAA Compliance laws regarding the Physical, Technical, and Administrative safeguards when handling PHI, with the goal being to ensure that a Covered Entity (Healthcare Organization) and all business associates follow the rules to protect outpatient data.
PHI is patient data that is individually identifiable health information, something that is unique to the patient and something unique that can be traced back to an individual. The Health Insurance Portability and Accountability Act (HIPAA) regulation was created to ensure the confidentiality, integrity, and availability of patient information.
Understanding the protected health information definition is critical for any covered entity. Of course, members of the public and healthcare professionals may have different viewpoints on what exactly constitutes PHI, but in reality, PHI is any individually identifiable health information held on file by the covered entities such as a healthcare provider (consumer health information), healthcare clearinghouses (insurance information and billing information) and health plan healthcare providers.
You may also encounter the acronym ePHI or e-PHI, or electronic protected health information. e-PHI is protected health information stored or accessed in an electronic format.
Get a Business Associate Agreement today!
Before you can go live with real PHI in your environment, you must get a Business Associate Agreement (BAA) in place. The BAA protects all parties, and both the covered entity (typically the healthcare institution) and any business associate (the 3rd party like Atlantic.Net) must comply with the rules protecting PHI.
The Health Insurance Portability and Accountability Act (HIPAA) has strict rules about this and requires a business associate agreement (BAA) in place.
Components of a BAA
A BAA has three central components:
- Outline exactly how the Business Associate interacts with PHI, including how the protected health information is used and if any disclosure takes place.
- Set clear limitations on what the third party must not do with the data, including any disclosure not stated in the agreement.
- Define appropriate measures to prevent the use or disclosure of PHI other than disclosure that is permitted or required by applicable HIPAA and HITECH mandates.
What is Protected Health Information (PHI) Exactly?
To provide you with a detailed explanation of what exactly is PHI, we have broken this article into five sections:
- Protected Health Information (PHI) Definition
- 18 Identifiers of PHI
- Research Examples of Protected Health Information (PHI)
- Physical, Technical, and Administrative Safeguards
- Partners in PHI
Protected Health Information (PHI) Definition
What is PHI? The reason that the concept of protected health information exists is really to clarify the parameters of HIPAA. It delineates the specific type of data that is protected by the law.
PHI is any data contained within an electronic health record or other files that refer to a specific individual(s), and information that was produced or introduced while performing healthcare tasks such as examinations and therapies.
The provisions of HIPAA permit teams conducting studies to use electronic protected health information (ePHI) to advance medical understanding. However, according to UC Berkeley, information is only protected by the law if it is contained within an electronic health record that was used for a healthcare service.
HIPAA law is overseen by the Office for Civil Rights, an agency within the US Department of Health & Human Services.
The OCR offers a definition of PHI health information as data pertaining to:
- A patient’s health status at any point in time;
- Information regarding any healthcare operations
- Any instance of care provided to a patient;
- Any billing data “for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.” This applies to past, present, or future billing information from health care providers.
18 Identifiers of PHI
There are 18 elements of data that serve as identifiers, meaning that they are considered protected health information within the context of healthcare services.
If you as a covered entity have data that contains this information, then it falls under the scope of HIPAA Compliance and therefore must comply with the physical, technical and administrative safeguards of HIPAA, including the HIPAA Security Rules and the HIPAA Privacy Rule amendments.
- Any part of a person’s name;
- Any location information that is more specific than the state, such as a street address, town, or county (however, there is an exception: you can use the first three numbers within a ZIP Code if “[t]he geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people” or if you replace the first three digits with 000);
- The months and days of any patient services or events (birthdate, date of treatment, etc.), although the year is unprotected. Specifically, any data showing that someone is 90 years or older is considered an identifier unless it is brought together under the single heading of 90 and above;
- Any phone number or phone numbers belonging to the patient;
- Any patient fax number(s);
- Any Email address or email addresses;
- Social security numbers or a social security number;
- Medical record numbers;
- Numbers associated with health insurance or plans, such as health insurance beneficiary numbers;
- The ID number for the account;
- Numbers associated with state registrations or licenses;
- Car tags or vehicle identification numbers (including vehicle identifiers or license plate numbers);
- Device identifiers or any data related to particular computers, including serial numbers;
- URLs specific to individual patients;
- Internet Protocol (IP Address) of patient devices;
- Anything classifiable as biometric and that identifies the individual, such as a fingerprint;
- Photographs in which the person’s face is visible; and
- Any other features or numbers that directly relate to the patient.
Exceptions when Sharing Health Information
There are, of course, some circumstances when PHI can be shared by a covered entity. When there is a serious risk to the patient’s health, the immediate family may need to know health information urgently. Bulk PHI can be shared by the healthcare industry but only in specific scenarios, mostly regarding academic research. Data must be anonymized, obfuscated, and possibly have key data redacted or changed.
Research Examples of PHI
One way that PHI is used by research teams is to look at the medical files of a certain group of people treated in a particular way for a diagnosed health condition – such as self-reported pain ratings of osteoarthritis patients six months after they were treated with total knee replacements (TKRs). In that case, PHI gives researchers a spotlight on the effectiveness of a particular approach.
Studies Generating PHI
Another scenario in which research must follow HIPAA Compliance is when the study itself generates PHI. That occurs when patients are delivered healthcare services as part of the study, such as diagnostic tests or breakthrough treatments that are being compared to traditional options. One example is a clinical trial that involves people with a certain health condition taking an experimental pharmaceutical, with the PHI submitted to the FDA for the drug’s application.
Medical Studies without PHI
Now, keep in mind, the PHI identifiers listed above are critical. Any health data that is not associated with one of those 18 elements is not classified as protected by the government. For instance, a dataset that contains medical readings is not federally protected just on the basis that the readings were taken. However, if a medical file is connected to a specific patient via the inclusion of an account number, all data within that file is legally protected.
Just because you are conducting research does not mean that you are necessarily working with PHI – in other words, you don’t always need to be concerned with HIPAA. Specifically, if you are conducting research with information that contains identifiers, it’s not protected information if it is unrelated to an interaction (such as outpatient care, transfer of files, or billing) that involves patients’ electronic health records.
What are the Physical Safeguards for PHI / ePHI?
All physical precautions refer to the implementation specifications for real-life physical controls on digital devices that store and handle e-PHI.
Some of the key areas for consideration are:
- How old or faulty equipment is replaced – for example, how ePHI media is destroyed
- What personnel access levels are granted to in-scope systems containing ePHI; specifically, covered entity / covered entities must ensure that access is only granted to employees with a relevant level of authorization
- How to train 3rd-party IT professionals when accessing the in-scope equipment for repairs
What are the Technical Safeguards for PHI / ePHI?
The technical assurances of the HIPAA Security Rule are more easily defined and include the technical aspects of any networked computers or devices that communicate with each other and contain PHI in their transmissions.
These precautions include enhanced network security, enhanced system security, data availability, perimeter firewalls, cybersecurity authentication protocols, and more. Any security measures that can be implemented on system software or hardware belonging to the HIPAA security rules technical protections category.
What are the Administrative Safeguards for PHI / ePHI?
The final standard, administrative guarantees, covers how covered entity / covered entities must set up their employee policies and procedures to comply with HIPAA’s Security Rule. Think of it as a separate, dedicated portion of employee training, both for management and labor defining who gets access and what they can and cannot do once access is granted.
Partners in PHI
The security and integrity of health data are a must to be in compliance with HIPAA regulations. Hopefully, the PHI examples above are helpful to understand what you need to protect to be federally compliant. However, you also need to know whether technology providers and business associates understand the needs of your organization.
A HIPAA web hosting solution can help achieve your objective.
“Atlantic.Net’s … financial strength and proven track record are something we view with great confidence,” Complete Healthcare Solutions Vice President Joseph Nompleggi has said of our partnership.
Atlantic.Net is a specialist in HIPAA Compliance, and we have 25 years of experience providing security-defined hosting solutions. For a covered entity or leading healthcare providers, becoming HIPAA Compliant is critical, and choosing the right HIPAA data storage partner can enable them to continue the best patient care possible.
Get More Information
Here are a few links that could be beneficial to Covered Entities and Healthcare providers to comply with the HIPAA regulations:
- How to Become HIPAA-Compliant: Our 10-Step Guide
- Penalties for Non-Compliance of HIPAA – What Is the Fine?
- HIPAA Compliant Hosting for a Web Application: 8 Questions to Ask
- HIPAA Business Associate Agreement – What Is a BAA?
- HIPAA Compliant Hosting – Free Trial
Atlantic.Net: Your HIPAA Compliant Hosting Provider
Whether you are a Covered Entity, Healthcare Clearinghouse, HIPAA Compliant Hosting from Atlantic.Net can help protect and secure the integrity of your health data! Get started today with a free HIPAA Compliant Hosting trial by Phone at 888-618-DATA (3282) or email [email protected] today.