Protected health information (PHI) is any information about health status, provision of health care or payment for health care that is created or collected by a covered entity, or their business associate, and can be linked to a specific individual.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities to implement safeguards to ensure the confidentiality, integrity and availability of PHI. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 also limited the types of PHI that can be collected from individuals, shared with other organizations or used in marketing.
What is a Covered Entity?
According to the U.S. Department of Health & Human Services (HHS) a covered entity is any healthcare provider, health plan or healthcare clearinghouse:
- Healthcare providers: hospitals, doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies
- Health plans: health insurance companies, health maintenance organization, company health plans, Medicare and Medicaid
- Healthcare clearinghouses: takes in information from a healthcare entity, standardizes the data and then provides the information to another healthcare entity
A business associate is a third-party vendor who performs services on behalf of a HIPAA-covered entity that requires access to, or the use of, protected health information (PHI). It's important to note HIPAA regulation treats data storage companies like AWS, GCP and Azure as business associates.
Learn how to comply with HIPAA's third-party risk requirements.
What is the Definition of Protected Health Information (PHI)?
Protected health information (PHI) is the past, present and future of physical and mental health data and the condition of an individual created, received, stored or transmitted by HIPAA-covered entities and their business associates. PHI can relate to provision of healthcare, healthcare operations and past, present or future payment for healthcare services. PHI is a form of personally identifiable information (PII) that is protected under the HIPAA Privacy Rule.
PHI includes all identifiable health information, including demographic information, medical history, test results, insurance information and other information that could be used to identify a patient or provide healthcare services or coverage.
The method of storage and transmission, whether electronic media or otherwise, does not affect PHI classification.
What are Some Examples of Protected Health Information (PHI)?
HIPAA outlines 18 identifiers that must be treated with special care:
- Names
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary number
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
PHI is any personally identifiable information (PII) that can be linked to health records or is used by a HIPAA covered entity or business associate in relation to healthcare services or payment. Practically speaking PHI can show up in a number of different documents, forms and communication including:
- Billing information
- Emails
- Appointment scheduling apps
- MRI scans
- Blood test results
- Phone records
What is ePHI?
Electronic protected health information (ePHI) is any PHI created, stored, transmitted or received electronically. The HIPAA Security Rule has guidelines in place that dictate how to assess ePHI.
ePHI includes any PHI data stored on:
- Personal computers used at home, work or travel
- External hard drives
- Magnetic tape
- Removable storage such as USB drives, CDs, DVDs and SD cards
- Smartphones and other smart devices
- File transfer and cloud storage solutions
What is Not Considered Protected Health Information (PHI)?
Any data that does not meet the following two conditions is not PHI:
- Data can identify the patient
- Data is used or disclosed by a covered entity during the course of care
Note: education records or employment records are covered by different federal regulations and do not apply to a cover entity in its role as an employer. In the case of an employee-patient, protected health information does not include information held on the employee by the healthcare organization in its role as an employer, only as a healthcare provider.
Further, information about a person who has been deceased for more than 50 years is no longer considered PHI.
What is PHI Used For?
Healthcare organizations deal with sensitive data about patients, including birth dates, medical conditions and insurance claims.
Beyond its use to patients and health professionals, PHI is valuable to clinical and scientific researchers when de-identified or anonymized. For cyber criminals, PHI is valuable personally identifiable information (PII) that can be used for identity theft, sold on the dark web or held hostage through ransomware.
This is why organizations cannot sell PHI unless it's used for public health activities, research, treatment, services rendered or the merger or acquisition of a HIPAA-covered entity and has been de-identified or anonymized.
HIPAA also gives individuals the right to make written requests to amend PHI stored in a covered entity.
What is De-Identification and Anonymization?
De-identification under the HIPAA Privacy Rule is when data is stripped of common identifiers by removing the specific identifiers listed above and then verifying with an experienced statistician who can validate and document that the statistical risk of re-identification is very small.
Anonymization is the process in which PHI elements are eliminated or manipulated with the purpose of hindering the possibility of going back to the original data set. This means removing all identifying data to create unlinkable data.
De-identification and anonymization allows healthcare data to be used for research, development and marketing purposes.
What are the Data Protection Requirements of Protected Health Information (PHI)?
Covered entities and business associates sign HIPAA business associate agreements that legally bounds them to handle PHI in a way that satisfies the HIPAA Privacy and Security Rules.
They are also subject to HIPAA audits conducted by the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) to prove they are HIPAA compliant.
Data protection requirements are outlined in HIPAA Privacy and Security Rules.
HIPAA Privacy governs how healthcare organizations can use and share PHI. Meanwhile, the Security Rules cover security measures, including software, that restrict unauthorized access to PHI.
Covered entities must demonstrate their cybersecurity minimizes the likelihood of unintended disclosure of PHI in data breaches and data leaks. Vendor risk management is a particularly important part of managing cybersecurity risk for covered entities who outsource to third-party vendors.
Before entering into any business associate agreements, covered entities must perform a cybersecurity risk assessment to understand how the business associate manages information security and whether they meet HIPAA compliance.
Ask to see their information security policy and SOC 2 report.
Cover entities must have a robust third-party risk management framework and vendor management policy, and where possible automate vendor risk management.
Should Healthcare Organizations Invest in Cybersecurity?
With increased scrutiny for HIPAA violations, massive fines for PHI data breaches and no safe harbor for accidental PHI data leaks, it pays to invest in cybersecurity.
Depending on the level of negligence, fines range from $100 to $50,000 for a single accidental violation, with a single violation due to willful neglect resulting in an automatic $50,000 fine. The maximum penalty for violations of an identical provision is $1.5 million per year.
Pair this with new data privacy laws in the European Union, e.g. The General Data Protection Regulation (GDPR) which impacts personally identifiable information (PII) more widely.
The truth is that every third-party vendor introduces third-party risk and fourth-party risk, increasing possible attack vectors (vulnerabilities, malware, phishing, email spoofing, domain hijacking and man-in-the-middle attacks) a cyber criminal could use to launch a successful cyber attack. This is why defense in depth is important.
Due to the reproducibility of data and limitations of digital forensics and IP attribution, it's almost impossible to track down where exposed data ends up.
In monetary terms, the average cost of a healthcare data breach is $6.45 million. It pays to prevent data breaches.
Find out how healthcare organizations can prevent data breaches.
How UpGuard Can Prevent Protected Health Information (PHI) Data Breaches and Data Leaks
UpGuard monitors both the internal and external attack surface for data leaks and security exposures putting PHI at risk of compromise.
UpGuard helps you manage the complete Vendor Risk Management lifecycle, from securing the vendor onboarding process to executive reports summarising your VRM efforts. With UpGuard, you can have greater peace of mind over the security and integrity of all customer PHI data.
.jpg){kind=avatar}
