For most healthcare organizations, protecting patient privacy is the most important aspect of HIPAA, and the most difficult. HIPAA uses the term Protected Health Information (PHI) to refer to protected data, but the concept is very similar to the term Personally Identifiable Information (PII), which is used in other compliance regimes. Understanding how PII and PHI overlap can help organizations unify compliance efforts across regimes, reducing the risk, cost and complexity of keeping data safe.
PHI vs. PII: As the name implies, personally identifiable information is any data that can identify a person. Certain information like full name, date of birth, address and biometric data are always considered PII. Other data, like first name, first initial and last name or even height or weight may only count as PII in certain circumstances, or when combined with other information.
For example, a record that referred to “Mr. Smith in New York” would be unlikely to contain enough information to give away the subject’s identity. If the patient had a less common name and lived in a small city, however, it would probably count as PII, since it would be easy to deduce who the subject was.
Although it doesn’t explicitly address personally identifiable information, HIPAA regulates situations like this under the term Protected Health Information. PHI includes anything used in a medical context that can identify patients, such as:
- Credit card number
- Driver’s license
- Medical records
PHI is subject to strict confidentiality and disclosure requirements that don’t apply to most other industries in the United States. In other words, protecting PHI is always legally required, but protecting PII is only mandated in some cases.
Developing a Unified Compliance Approach
The United States is unusual in having no single privacy and data protection standard or government entity. Instead, American companies face industry-specific laws, along with city, state and international compliance regulations.
Although this allows many industries to use consumer data more extensively, it also creates serious compliance risks. For example, because California has tougher PII laws than other states, a company that legally tracks users from Nevada when they visit its website could breach compliance if a Californian surfed in.
Although PHI requirements are strict, a HIPAA compliance checklist won’t necessarily address PCI, EU data protection laws and other regulations. Rather than developing individual programs for each regime, organizations should implement PII security best practices across the board, then iterate to meet remaining, regime-specific rules.
Auditing PII: Developing Compliance-Ready Security
Good security starts with identifying PII across your organization, whether it’s in medical databases, email, backups or a partner’s IT environment. PII then needs to be categorized by how much harm a breach could cause — a measurement known as the confidentiality impact level. The NIST recommends considering the following factors:
- Identifiability: Is it easy to uniquely identify the individual using the PII?
- Quantity of PII: How many identities could be compromised by a breach? The way your data is organized is a factor. For example, a clinic would likely have more PII at risk if it shared a database with allied clinics than if it maintained a separate database.
- Data Field Sensitivity: How much harm could the data cause, if breached? A phone number is less sensitive than a credit card or social security number, for example. However, if a breach of the phone number would most likely also compromise name, SSN or other personal data, that phone number should be considered sensitive.
- Context of Use: Does the way the information is used affect its impact? For example, imagine your hospital had an opt-in a newsletter to patients, doctors, organizations and other community members. A list of newsletter subscribers would contain the PII of some patients, but that info would be less sensitive than the same PII in patient medical records, since it wouldn’t necessarily indicate patient status.
- Obligations to Protect Confidentiality: What information are you required to protect under HIPAA, HITECH, PCI and other regimes? This is obviously a key consideration for healthcare organizations.
- Access to and Location of PII: The personally identifiable information HIPAA governs is often stored, transported and processed by third party IT services, accessed offsite by medical professionals who aren’t employees of the organization and processed by a variety of business associates. This creates risks that wouldn’t be present, for example, if the PII were locked in a vault, and could only be accessed by one doctor.
Implementing PII Security Best Practices
Any data you store is potentially vulnerable. Collecting less data and purging unnecessary PII from your records is the easiest way to reduce that vulnerability. You should also de-identify data where possible. When done properly, measures like anonymizing patient feedback and remove or tokenizing PII can take that data out of the scope of HIPAA entirely.
Access control is another valuable PII security best practice. Sensitive information should only be accessible by people who need it to do their jobs. For example, front desk staff that don’t handle billing, don’t need access to complete medical records.
Explicit policies and regular trainings can help ensure your workers use secure email and storage, but getting patients to use email encryption is trickier. Many balk at the inconvenience of healthcare portals, leading to very low adoption rates. Virtru Pro allows patients to use their own email accounts and encrypt messages and attachments with a single click, removing the inconvenience that prevents meaningful use.
Beyond Personally Identifiably Information — HIPAA Business Associates
HIPAA goes beyond PII security best practices in its requirements for partner organizations. Under the HIPAA privacy rule, health care providers have considerable legal liability for breaches caused by business associates.
Cloud services, contractors, medical claim processors and most other organizations which use, store or process PHI all count as business associates. You need to sign Business Associate Agreements (BAAs) with each of these organizations, describing:
- Appropriate use of PHI
- Safeguards for protecting breaches
- Steps to remediate breaches and violations
- Breach notification procedures
Your organization should evaluate business associates carefully to ensure they’re actually capable of holding up their end of the bargain. Organizations should have clearly documented data security policies and practices in place before they sign a BAA, and should voluntarily undergo regular audits to ensure compliance.
Beyond Personally Identifiably Information — HIPAA Notices and Notifications
HIPAA also has strict requirements for how health information can be used and disclosed, and requires a notice of privacy practices be provided to the patient. The notice of privacy should cover a range of information, including:
- How the organization can use and disclose the patient’s information
- The patient’s rights
- The organization’s duty to protect the information, and other legal duties
- Who the patient should contact for more information
HIPAA also has specific rules for breach notification. Under HIPAA compliance best practices organizations must notify anyone whose data has been compromised within 60 days of the breach. Making sure your partners use encryption is crucial. Encrypted data is exempt from breach notification, unless the key is exposed as well. In many cases, this can make the difference between a close call and a costly breach notification.
Following PII security best practices helps organizations err on the side of caution. HIPAA isn’t a set of arcane and arbitrary rules to make your life difficult — it’s a useful framework to ensure a high standard of care and confidentiality for your patients. A PII best practices approach simplifies compliance by turning it into a single set of rules that can be used across your organization. That makes it easier to keep patients safe, and ensure sensitive information doesn’t fall through the cracks.