For most healthcare organizations, protecting patient privacy is the most important aspect of HIPAA, and the most difficult. HIPAA uses the term Protected Health Information (PHI) to refer to protected data, but the concept is very similar to the term Personally Identifiable Information (PII), which is used in other compliance regimes. Understanding how PII and PHI overlap can help organizations unify compliance efforts across regimes, reducing the risk, cost and complexity of keeping data safe.
As the name implies, personally identifiable information is any data that can identify a person. Certain information like full name, date of birth, address and biometric data are always considered PII. Other data, like first name, first initial and last name or even height or weight may only count as PII in certain circumstances, or when combined with other information.
For example, a record that referred to “Mr. Smith in New York” would be unlikely to contain enough information to give away the subject’s identity. If the patient had a less common name and lived in a small city, however, it would probably count as PII, since it would be easy to deduce who the subject was.
Although it doesn’t explicitly address personally identifiable information, HIPAA regulates situations like this under the term Protected Health Information. PHI includes anything used in a medical context that can identify patients, such as:
PHI is subject to strict confidentiality and disclosure requirements that don’t apply to most other industries in the United States. In other words, protecting PHI is always legally required, but protecting PII is only mandated in some cases.
The United States is unusual in having no single privacy and data protection standard or government entity. Instead, American companies face industry-specific laws, along with city, state and international compliance regulations.
Although this allows many industries to use consumer data more extensively, it also creates serious compliance risks. For example, because California has tougher PII laws than other states, a company that legally tracks users from Nevada when they visit its website could breach compliance if a Californian surfed in.
Although PHI requirements are strict, a HIPAA compliance checklist won’t necessarily address PCI, EU data protection laws and other regulations. Rather than developing individual programs for each regime, organizations should implement PII security best practices across the board, then iterate to meet remaining, regime-specific rules.
Good security starts with identifying PII across your organization, whether it’s in medical databases, email, backups or a partner’s IT environment. PII then needs to be categorized by how much harm a breach could cause — a measurement known as the confidentiality impact level. The NIST recommends considering the following factors:
Any data you store is potentially vulnerable. Collecting less data and purging unnecessary PII from your records is the easiest way to reduce that vulnerability. You should also de-identify data where possible. When done properly, measures like anonymizing patient feedback and remove or tokenizing PII can take that data out of the scope of HIPAA entirely.
Access control is another valuable PII security best practice. Sensitive information should only be accessible by people who need it to do their jobs. For example, front desk staff that don’t handle billing, don’t need access to complete medical records.
Explicit policies and regular trainings can help ensure your workers use secure email and storage, but getting patients to use email encryption is trickier. Many balk at the inconvenience of healthcare portals, leading to very low adoption rates. Virtru Pro allows patients to use their own email accounts and encrypt messages and attachments with a single click, removing the inconvenience that prevents meaningful use.
Beyond Personally Identifiably Information — HIPAA Business Associates
HIPAA goes beyond PII security best practices in its requirements for partner organizations. Under the HIPAA privacy rule, health care providers have considerable legal liability for breaches caused by business associates.
Cloud services, contractors, medical claim processors and most other organizations which use, store or process PHI all count as business associates. You need to sign Business Associate Agreements (BAAs) with each of these organizations, describing:
Your organization should evaluate business associates carefully to ensure they’re actually capable of holding up their end of the bargain. Organizations should have clearly documented data security policies and practices in place before they sign a BAA, and should voluntarily undergo regular audits to ensure compliance.
Beyond Personally Identifiably Information — HIPAA Notices and Notifications
HIPAA also has strict requirements for how health information can be used and disclosed, and requires a notice of privacy practices be provided to the patient. The notice of privacy should cover a range of information, including:
HIPAA also has specific rules for breach notification. Under HIPAA compliance best practices organizations must notify anyone whose data has been compromised within 60 days of the breach. Making sure your partners use encryption is crucial. Encrypted data is exempt from breach notification, unless the key is exposed as well. In many cases, this can make the difference between a close call and a costly breach notification.
Following PII security best practices helps organizations err on the side of caution. HIPAA isn’t a set of arcane and arbitrary rules to make your life difficult — it’s a useful framework to ensure a high standard of care and confidentiality for your patients. A PII best practices approach simplifies compliance by turning it into a single set of rules that can be used across your organization. That makes it easier to keep patients safe, and ensure sensitive information doesn’t fall through the cracks.
Contact us to learn more about our partnership opportunities.