Understanding HIPAA Protected Health Information
Health Insurance Portability and Accountability Act (HIPAA) is a set of specific rules that came into effect in 1996 to control how healthcare providers and insurers handle private patient data. When providers interact with a patient’s sensitive information, it’s HIPAA that mandates their information stays private. Let’s explore what does and does not constitute Protected Health Information (PHI) under HIPAA laws.
What Is Protected Health Information Under HIPAA?
According to HIPAA, PHI is considered any individually identifiable health information related to the past, present, or future physical or mental condition of an individual. This relates to the health-related treatments they're receiving, their current health plans, or their health insurance coverage. Leaking this sensitive information, whether by accident or on purpose, can lead to serious consequences.
PHI can also include demographic identifiers that link directly to health information, as well as ePHI (Electronic Protected Health Information) that has been created, received, maintained, or transmitted electronically.
PHI identifiers include:
- Names and addresses
- All elements of dates related to an individual's birth, admission to a healthcare facility, or date of death
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social Security Number (SSN)
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Device identifiers and serial numbers
- URLs or IP addresses
- Biometric identifiers (including finger and voice prints)
What Is Not Considered PHI?
Protected health information that has been stripped of its identifiers is no longer considered PHI. For example, a medical study may provide a dataset of health information consisting of blood pressure readings or pulse rates, but without the ability to identify who those vital signs came from, it cannot be considered PHI.
Additionally, PHI refers specifically to health information that is handled by a covered entity or business associate (see definitions below). That same information gathered elsewhere may not be considered PHI, through health and wellness apps, employee or education records, wearable devices like smartwatches, and information collected during an appointment inquiry (but only before an individual becomes a patient).
Who Is Covered Under PHI Regulations Under HIPAA?
Anyone who works in healthcare, either as an employee or a contractor, needs to be compliant with the privacy rules of HIPAA, including healthcare providers who transmit claims electronically. Even organizations like medical insurers, law firms, and clearinghouses are legally required to comply with HIPAA rules.
It doesn't matter if an employee is at a private practice, public clinic, hospital outpatient department, blood bank, or pathology lab — they are required to comply with these standards. If an organization does not follow the rules of HIPAA, the employer will likely be fined by the government if they get caught.
What are Covered Entities?
A covered entity is an organization that collects, generates, or transmits personal health information electronically. This includes any person or organization that provides healthcare to patients. A medical clinic, a hospital outpatient department, and an urgent care provider are all included in this definition. Any place where a patient gets treatment is automatically covered under HIPAA.
What are Business Associates?
Business associates provide services for a healthcare organization. A business associate is any organization that comes into possession of PHI during the course of work it has been contracted to perform on behalf of a covered entity, such as a medical billing company, software developer, or website hosting company.
When Is PHI Disclosure Required?
PHI is permitted to be shared in a few unique circumstances, as required by law. PHI disclosure could be required when suspicions of child abuse need to be reported, or when complying with a subpoena. Obviously, individuals also have access to their own PHI, and providers must give patients that information within 30 days of their request.
How To Stay Compliant with PHI
Failing to securely safeguard crucial healthcare information, either physically or digitally, is among the leading causes of HIPAA violations. Even a simple mistake, like an employee leaving medical records unattended in their healthcare facility, could leave their organization vulnerable to data leaks and steep HIPAA violation fines. Cybersecurity is another major priority when dealing with PHI since a data breach on just one device could mean breaking HIPAA rules and regulations.
Clients’ perceptions of your business greatly depend on how you handle their private and sensitive healthcare information by staying in compliance with HIPAA. All executives, managers, employees, providers, administrative staff, and anyone else who might be involved in handling protected health information on behalf of a covered entity should receive compliance training on the HIPAA Privacy Rule and the HIPAA Security Rule. EasyLlama’s HIPAA compliance training provides an in-depth examination of how to respond to a breach of confidential data and the best way to protect your patients.
If your healthcare organization is in need of a HIPPA training solution for your staff, be sure to check out the customizable HIPAA courses available from EasyLlama. Engage your employees, contractors, and supervisors with our interactive training that features Hollywood-produced videos and game-like quizzes to promote knowledge retention. Sign up for your free preview today to experience the most advanced HIPAA training on the market!