Protected health information (PHI) is any information about health status, provision of health care or payment for health care that is created or collected by a covered entity, or their business associate, and can be linked to a specific individual.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities to implement safeguards to ensure the confidentiality, integrity and availability of PHI. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 also limited the types of PHI that can be collected from individuals, shared with other organizations or used in marketing.
What is a covered entity?
According to the U.S. Department of Health & Human Services (HHS) a covered entity is any healthcare provider, health plan or healthcare clearinghouse:
- Healthcare providers: hospitals, doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies
- Health plans: health insurance companies, health maintenance organization, company health plans, Medicare and Medicaid
- Healthcare clearinghouses: takes in information from a healthcare entity, standardizes the data and then provides the information to another healthcare entity
What is a business associate?
A business associate is a third-party vendor who performs services on behalf of a HIPAA-covered entity that requires access to, or the use of, protected health information (PHI). It's important to note HIPAA regulation treats data storage companies like AWS, GCP and Azure as business associates.
What is the definition of protected health information (PHI)?
Protected health information (PHI) is the past, present and future of physical and mental health data and the condition of an individual created, received, stored or transmitted by HIPAA-covered entities and their business associates. PHI can relate to provision of healthcare, healthcare operations and past, present or future payment for healthcare services. PHI is a form of personally identifiable information (PII) that is protected under the HIPAA Privacy Rule.
PHI includes all identifiable health information, including demographic information, medical history, test results, insurance information and other information that could be used to identify a patient or provide healthcare services or coverage.
The method of storage and transmission, whether electronic media or otherwise, does not affect PHI classification.
What are some examples of protected health information (PHI)?
HIPAA outlines 18 identifiers that must be treated with special care:
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary number
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
PHI is any personally identifiable information (PII) that can be linked to health records or is used by a HIPAA covered entity or business associate in relation to healthcare services or payment. Practically speaking PHI can show up in a number of different documents, forms and communication including:
- Billing information
- Appointment scheduling apps
- MRI scans
- Blood test results
- Phone records
What is ePHI?
Electronic protected health information (ePHI) is any PHI created, stored, transmitted or received electronically. The HIPAA Security Rule has guidelines in place that dictate how to assess ePHI.
ePHI includes any PHI data stored on:
- Personal computers used at home, work or travel
- External hard drives
- Magnetic tape
- Removable storage such as USB drives, CDs, DVDs and SD cards
- Smartphones and other smart devices
- File transfer and cloud storage solutions
What is not considered protected health information (PHI)?
Any data that does not meet the following two conditions is not PHI:
- Data can identify the patient
- Data is used or disclosed by a covered entity during the course of care
Note: education records or employment records are covered by different federal regulations and do not apply to a cover entity in its role as an employer. In the case of an employee-patient, protected health information does not include information held on the employee by the healthcare organization in its role as an employer, only as a healthcare provider.
Further, information about a person who has been deceased for more than 50 years is no longer considered PHI.
What is PHI used for?
Healthcare organizations deal with sensitive data about patients, including birth dates, medical conditions and insurance claims.
Beyond its use to patients and health professionals, PHI is valuable to clinical and scientific researchers when de-identified or anonymized. For cyber criminals, PHI is valuable personally identifiable information (PII) that can be used for identity theft, sold on the dark web or held hostage through ransomware.
This is why organizations cannot sell PHI unless it's used for public health activities, research, treatment, services rendered or the merger or acquisition of a HIPAA-covered entity and has been de-identified or anonymized.
HIPAA also gives individuals the right to make written requests to amend PHI stored in a covered entity.
What is de-identification and anonymization?
De-identification under the HIPAA Privacy Rule is when data is stripped of common identifiers by removing the specific identifiers listed above and then verifying with an experienced statistician who can validate and document that the statistical risk of re-identification is very small.
Anonymization is the process in which PHI elements are eliminated or manipulated with the purpose of hindering the possibility of going back to the original data set. This means removing all identifying data to create unlinkable data.
De-identification and anonymization allows healthcare data to be used for research, development and marketing purposes.
What are the data protection requirements of protected health information (PHI)?
Covered entities and business associates sign HIPAA business associate agreements that legally bounds them to handle PHI in a way that satisfies the HIPAA Privacy and Security Rules.
They are also subject to HIPAA audits conducted by the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) to prove they are HIPAA compliant.
Data protection requirements are outlined in HIPAA Privacy and Security Rules.
HIPAA Privacy governs how healthcare organizations can use and share PHI. Meanwhile, the Security Rules cover security measures, including software, that restrict unauthorized access to PHI.
Covered entities must demonstrate their cybersecurity minimizes the likelihood of unintended disclosure of PHI in data breaches and data leaks. Vendor risk management is a particularly important part of managing cybersecurity risk for covered entities who outsource to third-party vendors.
Before entering into any business associate agreements, covered entities must perform a cybersecurity risk assessment to understand how the business associate manages information security and whether they meet HIPAA compliance.
Should healthcare organizations invest in cybersecurity?
Depending on the level of negligence, fines range from $100 to $50,000 for a single accidental violation, with a single violation due to willful neglect resulting in an automatic $50,000 fine. The maximum penalty for violations of an identical provision is $1.5 million per year.
Pair this with new data privacy laws in the European Union, e.g. The General Data Protection Regulation (GDPR) which impacts personally identifiable information (PII) more widely.
The truth is that every third-party vendor introduces third-party risk and fourth-party risk, increasing possible attack vectors (vulnerabilities, malware, phishing, email spoofing, domain hijacking and man-in-the-middle attacks) a cyber criminal could use to launch a successful cyber attack. This is why defense in depth is important.
How UpGuard can prevent protected health information (PHI) data breaches and data leaks
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.
UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.