黑料传送门

The term Protected Health Information (PHI) was coined with the introduction of the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The role of HIPAA is to make sure your personal health information is kept private. Since most of HIPAA鈥檚 rules and regulations revolve around protecting PHI, it鈥檚 important for anyone working in healthcare to know what it is and how to handle it in order to stay in compliance with HIPAA.聽

So, what is PHI?

Protected health information is any identifiable information that appears in medical records as well as conversations between healthcare staff (such as doctors and nurses) regarding a patient鈥檚 treatment. It also includes billing information and any information that could be used to identify an individual in a company鈥檚 health insurance records.聽

If you work in healthcare, or aspire to, your job might require you to know and use someone鈥檚 protected health information so they can pay for medical expenses or receive treatment. Understanding what PHI includes, and why securing this data is so important, will help ensure that you take the necessary steps to keep it secure.聽

To be considered PHI, and therefore part of HIPPA compliance, information must be both personally identifiable or recognizable to the patient and used or disclosed to a covered entity during the course of healthcare.聽

The identifiers that make health information PHI are:

• Patient Name (full or last name and initial)
  
• Date of birth
• Address (anything more specific than state, including street address, city, county, precinct, and in most cases zip code, and their equivalent geocodes)
• Social security number
• Phone/fax number
• Email address
• MAC address of the network card on a device
• IP address of a device
• Drivers license number
• License plate numbers
• Biometric data (fingerprints, retina scans, etc)
• Medical record numbers
• Medical device serial numbers
• Health plan account numbers
• Dates of visits, admission, discharge, and treatment
• Payments/bills
• Photographs
• Diagnostic codes

It鈥檚 important to know that PHI also includes information that鈥檚 not current. For example, an old phone number, address, or driver's license number is still considered protected health information.

鈥淐overed Entities鈥� Under HIPAA

A covered entity is anyone who provides treatment, payment, or operations in healthcare, as well as business associates who have access to patient information and provides support in treatment, payment, and operations. Subcontractors and any other related businesses associates must also be in HIPAA compliance.

This can include:

• Doctors鈥� offices, dental offices, and clinics
  
• Psychologists
• Nursing homes
• Pharmacies
• Hospitals or home healthcare agency
• Health plans, insurance companies, HMOs
• Government programs that pay for healthcare
• Healthcare clearinghouses

As you can see, covered entities span a range of industries and jobs. It鈥檚 extremely important for anyone who comes into contact with PHI to be aware of HIPAA鈥檚 Privacy and Security Rule. This includes everyone from HR representatives, to IT staff, to health plan administrators, to accounts payable, as well as company owners/executives, all must use caution when handling PHI. Whether you work in one of these roles, or aspire to, 黑料传送门 offers a variety of online degree programs and professional development opportunities that can help strengthen your knowledge of PHI as it relates to human resources, information technology, or health information management.

Not all identifiable information is considered PHI. PHI only relates to information on patients or health plan members. It doesn鈥檛 include information created or maintained for employment records, such as an employee鈥檚 health records. Health data that鈥檚 not shared with a covered entity or can鈥檛 be used to identify someone doesn鈥檛 qualify as PHI either. For instance, an Apple watch that tracks your heart rate or daily steps can鈥檛 be considered PHI because the data collected isn鈥檛 being shared with a covered entity.聽聽

Below are additional examples of non-PHI:

• Blood sugar readings
  
• Temperature scans
• Readings from a heart rate monitor
• Data from a health tracker

When it comes to determining what鈥檚 PHI and what鈥檚 not, a good rule of thumb is this: if a device or application stores, records, or transmits personally-identifiable health data to a covered entity then it should be considered PHI.

PHI exists in multiple forms: electronic (ePHI), verbal, and written. Here are some examples of what that could look like:聽

• Billing information from your doctor
  
• Blood test results
• An email to a doctor鈥檚 office about your medication or prescription
• Appointment scheduling notes from your healthcare provider
• Reminder texts or voicemails about you doctor appointment
• Any record containing both your name and name of your medical provider
• Any document that includes a Medicaid or Medicare number

The HIPAA Privacy Rule allows PHI to be shared without patient authorization under certain circumstances. Those exceptions for disclosure include:

• When preventing a serious and imminent threat to the health and safety of a patient or the public based on the health care provider鈥檚 professional judgment.
  
• When coordinating or managing treatment of a patient between providers.
• When ensuring the public鈥檚 health and safety for the purpose of preventing or controlling disease, injury or disability.
• When notifying family, friends, and others involved in care.
• When notifying the media and public (if the patient has not objected to release of PHI).

Under the HIPAA Privacy and Security Rules, healthcare organizations are required to secure patient information that鈥檚 stored or transferred digitally. These requirements are designed to protect our PHI from things like data breaches or hackers. Organizations are also legally required to maintain their HIPAA compliance by monitoring changes in the law and upgrading outdated technologies.聽聽

When it comes to keeping patient data secure, HIPAA鈥檚 Privacy and Security Rules require healthcare organizations to exercise best practices in three areas: administrative, physical security, and technical security.

Administrative requirements

These requirements cover training and procedures for employees, regardless of whether the employee has access to PHI or not. Some of the legal requirements under this standard include:

• Annual HIPAA training and education on the organization鈥檚 specific security procedures
  
• Sanctions against any employee who violates security procedures
• A data breach response plan
• Annual data security assessment

Physical security requirements

The physical security requirements outlined by HIPAA are designed to prevent physical theft and loss of devices that contain patient information. Some examples of this include:

• Limiting access to buildings that contain information systems like computers and servers
  
• Securing workstations that contain PHI
• Putting policies in place for how devices containing PHI can be removed from a facility聽聽

Technical security requirements

Under this rule, technical safeguards must be put into place to protect networks and devices from data breaches. Some technical security requirements include:

• Policies and procedures that allow only authorized individuals to access PHI
  
• Hardware or software that records and monitors access to systems that contain PHI
• Procedures to maintain that PHI is not altered, destroyed, or tampered with
• Security measures that protect against unauthorized access to PHI that鈥檚 being transmitted over an electronic network

These can often be the most challenging regulations for organizations to understand and implement. Organizations can maintain their legal obligations to HIPAA by having the right professionals in place to ensure healthcare data is secure and accessible.聽

Due to the growing need to protect PHI, jobs in cybersecurity, health information management, and information technology are in high demand. If you鈥檙e looking to start or further your career in one of these industries, an online degree from 黑料传送门 is a great place to start.