The HIPAA privacy rule addresses the responsibilities of healthcare providers to protect Protected Health Information (PHI), as well as the rights patients have over their own healthcare information. PHI doesn’t just mean information about health. In fact, any data a healthcare provider stores or transmits is PHI if it identifies a patient — even if it doesn’t give any insight into their medical history. Knowing what is and isn’t protected health information under HIPAA is crucial to protecting patient privacy and ensuring your healthcare organization does not end up facing costly fines.
What is Protected Health Information Under HIPAA: Basic Identifiable Information
PHI includes the basic data used to identify a patient, such as their name, birthdate, address, biometric data (e.g. fingerprints or retinal scans), or photos of the patient’s face. It also includes numbers and codes linked to the patient — essentially, anything from a driver’s license number, to a social security number, to even the VIN of their car.
Any addresses used to communicate with the patient are also protected — things such as their phone and fax number, their email address, and their IP address. All of this information counts as PHI, and it all must be protected under HIPAA.
What is Protected Health Information Under HIPAA: Healthcare information
Protected Health Information also includes a range of healthcare identifiers, including:
- Medical device numbers (e.g. the serial number of a heart monitor)
- Medical record number(s)
- Health plan number(s)
- Dates of admission, discharge, treatment, etc.
It also contains information related to healthcare for which there’s “a reasonable basis to believe the information can be used to identify the individual.” For example, a detailed patient history — even without any identifiers like name, birthdate or social security number — would count as PHI if it had enough information to identify the patient.
De-identification: Sharing Data without Sharing Identities
Organizations need to use patient data for quality reviews, HITECH meaningful use stats, clinical trials and other purposes. Accordingly, information is exempt from HIPAA if it:
- Can’t be used to identify a patient
- Doesn’t pertain to a living person, or one who died within 50 years, or
- Wasn’t obtained through “intervention or interaction”
There are situations where PHI needs to be disclosed, such as to alerting law enforcement to a suspicious death or disclosing PHI to family members of the deceased. Additionally, for certain research purposes, an institutional review board can approve the use of PHI without informed consent. In general, though, information needs to meet exemption criteria to be used outside of treatment.
In order to strip personally identifiable information (PII), HIPAA requires organizations to use a process called de-identification. De-identified information must have names, dates, numbers and other PHI listed above removed, along with any other information that might expose the patient’s identity. Once that information has been removed, the data can be used outside of treatment.
Guarding HIPAA Protected Health Information
HIPAA protected health information has strict definitions, and the OCR will impose costly fines for failing to protect it. It’s not enough to have internal rules governing information use — data security in healthcare also depends on technology that can prevent unauthorized ePHI access.
Organizations need to use HIPAA compliant email encryption and file storage for all ePHI. Anything containing PII — from emails confirming appointments to stored medical charts — needs to be protected. That means tools have to be both secure, and easy enough for your least tech-savvy patient or partner to use.
Virtru Google Apps (now known as G Suite) encryption provides an equally convenient solution for the HIPAA compliant cloud, ensuring that healthcare organizations can securely, record, store and access PHI without compromising convenience.
Virtru also recently released the HIPAA Compliance Rule Pack. In just a few minutes, you can set up rules to automatically detect and protect PHI before it ever leaves your computer. It’s the easiest way to ensure that your protected health information (PHI) remains encrypted no matter where it travels. Watch a quick demo below.
Want to learn more? Contact us to schedule a live demo.