Except if you are living under a rock, you would know about the Health Insurance Portability and Accountability Act (HIPAA) of 1996 which stresses on the integrity, sanctity, and security of PHI (protected health information).
However, the question that arises is, why is PHI kept under the rug? And why is it always talked about only when needed? The reason behind the above questions will be discussed later in the article, but first, you may want to know what is personal health information (PHI).
What is personal health information?
Personal health information refers to the health-related data of any individual that is recorded, disclosed, or used when the individual is provided with any healthcare service-whether at home or while being admitted in the hospital. This personal health information of an individual not only includes the mental and physical health details for past, present, and future, but also a record of healthcare services that have been availed to date, and the payments that have been made for the respective services.
Simply explained, it is the information from which an individual can be easily identified. Such information, along with details of the conversation between the healthcare service providers like nurses and doctors with respect to the patient’s treatment,is expected to be kept safe and confidential.
Moreover, PHI also includes the financial details of an individual that can be used to trace out the person through their billing records in the health insurance company. Generally, you may have noticed such information on several documents such as prescriptions, MRI, clinic appointments, blood test reports, X-ray results, billing information, or on the records of your communication with your doctor while on treatment.
The term ePHI was first used in HIPAA rules and instantly adopted by organizations that maintain health records for individuals. It refers to recording the patient health information digitally – on a computer, or as a saved digital file. HIPAA directs these organizations to ensure the integrity and security of PHI through administrative, physical, and technical safeguarding techniques.
HIPAA describes PHI as the information that relates to a particular individual. This information consists but is not limited to:
- Name and date of birth
- Social Security Number
- Phone Number
- Email Address
Other information that is classified as personal health information by HIPAA, but is often overlooked, includes:
- MAC addresses of the device
- IP address of every device that has been in use by the individual
- Biometric data (retina scan, fingerprint, etc.)
- Driver’s license number
- Serial numbers from medical devices
- Account numbers
- Health plan details
- Medical record ID
- Dates of visits, treatments, admission, and discharge
- Payment details
- Diagnostic codes
Protected health information includes data from the past. That’s why it’s more important to prevent them from getting hacked. For example, to trace the address of an individual, a hacker can use old phone numbers. So, we can say that PHI is the bridge between the health information and the identifier.
What actually is protected by HIPPA?
As a federal law, HIPAA applies to everyone. It is illegal to compromise on the information that classifies as PHI. According to the legislation every individual has the right to ask if their personal health information is kept private.
Who needs to meet the terms with HIPAA?
All bodies (including doctors) must comply with HIPAA rules. Certain exceptions are allowed to bodies or entities such as businesses that facilitate their employees with health insurance services, plans, dental, medical, and visionary facilities.
However, HIPAA also takes business associates, contractors, and subordinates under the law. They also must go through the same process in becoming HIPAA compliant. These processes include filling risk assessments, creating customer security policies and procedures, training employees, and implementing privacy policies.
Third-party companies who cover entity records may need to come into contact with PHI. Attorneys, accountants, document shredding, and IT vendors- all have to go through a process and qualify as business associates or subcontractors.
In short, if you want to access the data while working for a third-party, then you have to have a signed Agreement of Business Associate Subcontractors.
Become HIPAA compliant to get Protection against the breaches
The HIPAA security restricts organizations to take serious measures against intimidating incidents to maintain the sanctity of PHI. However, despite saying that the sanctity has to be protected, the question of ‘how’ remains unanswered because the price of non-compliance that has to be beared by an organization can be greatly high – thus, leaving the compliant confused regarding what to actually do.
The actions that can be taken to safeguard the PHI by HIPAA compliant organizations are:
- Organizing regular HIPAA training for employees so that they remain informed about the developments and tactics required to counter hacker attacks, and learn traditional and mundane procedures of protecting data.
- Investing in endpoint security systems and encryption of data that would prevent the information from being mishandled.
- Implementing private policy to ensure compliance and prevent employees from breaching through non-secure approaches, and to control access to personal health information without
- Applying methods set by HIPAA in transmitting and storing PHI. If the data is stored by a third-party, then that third-party must have the agreement of the business associate and also comply with HIPAA.
You will be accountable if you have been found not complying with the HIPAA methods. You have to obey your organization’s procedures and policies, even if it asks you to put in more effort. The rules are there to prevent information theft. This will only be practically possible and effective if everyone would be following these rules.
In conclusion, avoiding HIPAA rules of properly handling personal protected health information (PHI) can put you in front of hefty fines, bad publicity, and potential lawsuits. After all, your reputation is based on how you protect your client’s information and how well you serve your customers.