Every day, a wide range of organizations — from healthcare providers to insurance companies, dentists, pharmacies, and more — collect, create, store, or otherwise interact with sensitive patient data known as protected health information (PHI). These businesses must meet strict security and privacy requirements established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) — or else face significant fines and legal actions.
But what counts as PHI? How does it differ from other forms of consumer data? And, perhaps most importantly, what steps should an organization take to ensure that this information is adequately protected?
Below, we answer these and other questions you may have about protected health information so you’ll be better equipped to comply with HIPAA and related regulations.
What is protected health information (PHI)?
Protected health information (PHI) refers to specific types of medical information that can be tied back to an individual person, which is collected or used by healthcare providers and other entities covered by HIPAA.
To fully understand what PHI is, it’s important to break down the different ways medical information can be segmented. This includes health information, individually identifiable health information (IIHI), and finally, protected health information as defined by HIPAA.
Health information is any information related to an individual’s physical and mental health, the treatment they receive, and how they pay for this treatment. Importantly, this includes information about the past, present, and future. It’s important to note that the information must be created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse to qualify as health information.
Individually identifiable health information (IIHI) is a subset of health information. Specifically, the term refers to demographic information, contact information, and geographic information about an individual that is related to their care and which either directly identifies, or has the reasonable potential to identify, the individual.
Protected health information (PHI), then, is any individually identifiable health information specifically transmitted by or maintained in electronic media, or in any other form.
What is ePHI?
ePHI, or electronic protected health information, is a term used to refer to protected health information that is collected, saved, or transmitted in an electronic form. Some examples of ePHI include protected health information collected via a website or web application, sent by email, or digitized from physical copies.
Whether ePHI is stored as a digital file on a local device, on a disk or flash drive, or in the cloud, it is protected by the same provisions of HIPAA that apply to all protected health information. With this ubiquity in mind, when most modern healthcare organizations (and other covered entities) talk about PHI, they’re really talking about ePHI.
Who’s subject to HIPAA laws about PHI?
The companies, businesses, and other organizations subject to HIPAA’s requirements are known as covered entities. These covered entities include:
- Health insurance companies
- Company health plans
- HMOs
- Government health programs (Medicare/Medicaid)
- Doctors
- Hospitals
- Pharmacies
- Clinics
- Psychologists
- Dentists
- Nursing homes
- Other healthcare providers
- Healthcare clearinghouses
In addition to the entities above, any company that works with a covered entity, even if they are not themselves a covered entity, must comply with various pieces of HIPAA — including the Privacy Rule and Security Rule. This includes, but isn’t limited to:
- Companies that collect, store, and destroy medical records
- Companies that provide billing services for a covered entity
- Companies that process healthcare claims
- Companies that administer health plans
- Outside professionals such as IT specialists, lawyers, and accountants
- Subcontractors hired by these organizations
As a rule of thumb, any company that is or that interacts with a covered entity should assume they are subject to HIPAA.
It’s also important to note that even businesses that are not covered entities under HIPAA still have an incentive to protect sensitive consumer information, regardless of whether they are required to do so by law or not. Failure to do so can result in significant loss of customer trust, which can prove catastrophic to any business built on trust.
What identifiers fall under protected health information?
When HIPAA was passed into law, it established a list of 18 identifiers. If a piece of health data contains any of these 18 identifiers, it’s considered protected health information. These identifiers include a person’s:
- Name
- Address
- Birth date, date of admission, discharge date (other than the year)
- Phone numbers
- Fax numbers
- Email addresses
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license numbers
- Vehicle identifiers, including license plate numbers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Fingerprints and voiceprints
- Photographic images (not limited to the individual’s face)
- Any other uniquely identifiable characteristics
It’s important to note that this information is typically only considered PHI when it’s collected or used by a covered entity. If it’s created by a business or organization that isn’t a covered entity (and doesn’t interact in any way with a covered entity), it’s not necessarily protected under HIPAA.
Likewise, information that is de-identified (stripped of all personal identifiers) is no longer considered PHI.
How is protected health information used?
At its core, protected health information is primarily used to identify an individual in a healthcare setting and ensure they are receiving appropriate care.
Before a doctor or nurse begins treating a patient, for example, they will typically ask that patient for their name and birthdate. Then, they’ll cross-check this with the information stored within the patient’s chart or medical record to ensure they are delivering care (whatever it may be) to the correct patient.
Certain PHI also makes it possible for a healthcare provider to track a patient’s care over time. When a patient receives care from a given provider, for example, records of that care will be labeled with a medical record number tied specifically to that individual. Using this number, a provider can pull up a patient’s records as necessary to check on past diagnoses, treatment plans, etc.
When it is anonymized and de-identified, PHI is also often used by researchers trying to glean insights into healthcare trends.
How to defend against PHI hacks
Covered entities are required to protect and secure PHI against unauthorized access and other types of impermissible use under HIPAA’s Security Rule. This rule specifically requires covered entities to implement physical, administrative, and technical safeguards to protect against any threat considered “reasonably anticipated.”
Physical safeguards are measures taken to secure physical copies of PHI or physical devices that store PHI. Limiting access to facilities (or parts of facilities) containing PHI is one such physical safeguard. Implementing policies for workstation and device security is another.
Administrative safeguards are the administrative processes and policies an organization implements to secure PHI. Employee training and the implementation of identity and access management (IAM) are examples of administrative safeguards.
Technical safeguards are measures taken specifically to secure ePHI. They include implementing policies around access control, audit control, integrity control, and transmission security. In practice, examples of technical safeguards might include the use of encryption, firewalls, and other technologies.
Learn more about best practices for securing health data.
How to verify patient identity safely
If your company is subject to the PHI rules established by HIPAA — as a covered entity, business associate, or third-party organization — it’s crucial to keep these requirements in mind when designing any processes related to data. This includes your organization’s Know Your Patient (KYP) and patient identity verification processes.
Some ways you can remove risks from your patient identity verification process include:
- Working with a HIPAA-compliant IDV provider
- Automating as much of your IDV process as possible to reduce the possibility of inappropriate access
- Partnering with an IDV solution that will store PII for you
Here at Persona, security and privacy form the bedrock of who we are. Our identity solutions are compliant not only with HIPAA, but also with GDPR, FERPA, CCPA/CPRA, and other state and federal regulations. We’re also proud to offer PII storage for all of our customers so you can spend less time worrying about security and more time running your business.
Interested in learning more? See how we helped an online prescription service deploy identity verification to stay compliant with HIPAA and other regulations.
Ready to get started? Request a demo today.
