In modern healthcare, there is a crucial need for protecting sensitive patient data. That is why Protected Health Information (PHI) is defined.
Its role in human services is to maintain the privacy and the integrity of the healthcare system. As trust is an essential part of the patient-healthcare provider relationship, PHI is the way to keep that trust.
What is PHI: Understanding protected health information
Protected Health Information is a concept referring to any kind of healthcare data about the patient.
PHI includes 18 personal identifiers:
- Demographic information – identifiers like names, phone numbers, and emails;
- Biometric data like fingerprints, voiceprints, genetic information;
- Facial images;
- Geographical subdivisions smaller than a State;
- Internet Protocol (IP) address numbers and others.
It is important to note that PHI includes medical information not only about present patient status but also past and future health data.[1]
The definition of PHI by HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) in the United States sets the standard for Protected Health Information.
It was defined as “individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”. [2]
There is an indirect PHI – a combination of data that could identify a person excluding the 18 identifiers. Those can be rare diagnoses, unique jobs, e.g. President of the United States, and others.
Knowledge of what PHI is not is equally important. By the HIPAA definition, data from the list above that is not obtained as a part of medical records is not PHI. For example, if such information is included in research records and not medical records, it is not PHI.
It is important to know that health information without identifiers is also not considered protected health information. [1]
Laws and regulations governing PHI
PHI is protected by HIPAA, a US law that sets national standards for the security and confidentiality of health information by privacy and security rules. The HIPAA Privacy Rule protects the use and disclosure of PHI by entities subject to the Privacy Rule. These individuals and healthcare organizations are called “covered entities.”
The HIPAA-covered entity requires the individual’s written permission as an authorization for certain situations. Privacy Rule permits disclosing PHI in some cases such as for public health purposes required by law, for research, etc. [3,4]
The HIPAA Security Rule outlines the protection, maintenance, and transmission of electronic protected health information, or e-PHI. It does not apply to PHI that is transmitted orally or in writing. Security Rule ensures the confidentiality, integrity, and availability of all e-PHI as it relies on detecting and safeguarding against threats. [4]
With the release of the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009 some regulations were established.
The three rules, included in HITECH, address:
- Breach notification requirements for protected health information;
- Incentive payments available under the healthcare providers that qualify as “meaningful users” of electronic health records (EHR);
- Certification criteria for EHR technology.
According to the HITECH Act “unsecured PHI” means “unencrypted PHI.” The Act requires that patients be notified of any unsecured breach of EHR. [5]
The importance of protecting PHI
Privacy of PHI is not only lawfully required but also an ethical obligation. Protecting a person’s privacy is valuable in this modern world where there are many insecurities. It is related to the principles of bioethics – beneficence, nonmaleficence, autonomy, and justice.
Medical records contain details about physical and mental health conditions. Some of them are too personal to be shared and everyone has the right to keep them a secret. Most of the people are concerned when it comes to EMRs because of breach of information, possible blackmail, etc.
Confidentiality is a crucial part of the healthcare provider’s job and must be maintained at all costs. [6]
Deliver a world-class Healthcare project–with high-skilled, seamlessly integrated IT talent Learn how from our consultants. We work with clients worldwide.
Types of information considered PHI
The classical HIPAA list consists of 18 identifiers:
- Names;
- All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geolocation/geocodes;
- All elements of dates (except year) for dates directly related to an individual – birth date, admission date, discharge date, date of death;
- Phone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social Security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full-face photographic images and any comparable images;
- Any other unique identifying number, characteristic, or code. [1]
This list is important because the identifiers are important to be removed for de-identifying a medical record. This list, however, was not updated for more than 20 years so it does not include some identifiers such as LBGTQ statuses, details about an emotional support animal, etc. This information can possibly be used to identify a person, so new identifiers may be added.
Who has access to protected health information?
To preserve the privacy of the patient, access to PHI have only people, approved by HIPAA.
- First of all, the individual has the right to access their health-related information. They also have the right to share their information with a third party.
- All healthcare professionals – doctors, nurses, etc., are allowed to know and work with PHI to diagnose and provide treatment.
- Providers of services such as health plans, e.g. health insurance companies, also have privileges to access health information to process claims and determine coverage.
Healthcare clearinghouses are organizations that process nonstandard health information into a standard format. This makes them a middleman between a healthcare provider and a health plan. For the conversion, they also can access PHI. [7]
Causes of PHI breaches
Between 2009 and 2017 there were 1138 PHI data breaches that affected 164 million people.
The violations were put in the following categories:
- Hacking or information technology incident;
- Improper disposal (electronic media or paper records not appropriately cleared or shredded);
- Loss;
- Theft;
- Unauthorized access or disclosure (breaches from misdirected mailing or other communication);
- Unknown or other.
Most of the breaches were due to theft – stealing of equipment or PHI, committed by external parties or current employees. Second in frequency was internal unauthorized access and disclosure. These were due to email mistakes, forwarding PHI to personal accounts or devices and others. Hacking and IT incidents were the third reason for PHI breaches.
The analysis found that more than half of the violations were due to internal mistakes or neglect. This is the reason why PHI protocols should be understood and respected. [8]
Risks associated with PHI breaches
Consequences of PHI violations can reach disturbing extents.
Here are some of them:
- Identity theft and fraud – exposing sensitive data, such as Social Security numbers, makes it easy to obtain by criminals. This information can be used for fraud and can lead to huge financial losses, damaged credit scores and more.
- Violations of HIPAA compliance laws result in hefty fines, lawsuits, and other penalties for the involved parties.
- Compromised patient care and healthcare services – PHI breaches lead to loss of patient trust and damage the quality of care and experience. Loss of EHR can be life-threatening as it can provoke delays in care, incorrect treatments, or medication errors.
- Blackmail and extortion – cybercriminals can use the obtained information about the person to blackmail them. Victims would experience financial and emotional distress and damage to their safety.
Security measures for protecting PHI
Health care providers must protect PHI, however, it can not be locked for everybody, it must be accessible. This means that strict security measures should be applied so that only authorized personnel will have access.
HIPAA experts recommend using certain strategies such as a firewall, an antivirus solution, and a spam filter to block malicious emails. It is recommended the use of data encryption on all workstations and portable devices as well as in emails.
In the event of an emergency, disaster recovery controls should be available as well as extensive backups to ensure PHI is recoverable. Physical controls are necessary to prevent data and equipment theft.
Human workforce and good patch management policies are needed to ensure software is kept up to date and free from vulnerabilities. Security is important as it is protecting the privacy and trust of the patients. Highlighting the protection of the PHI could be beneficial for the healthcare provider-patient relationship. [9,10]
Managing PHI in electronic health records
Managing the electronic resources of PHI is crucial. Health records databases must be protected with physical, administrative, and technical safeguards. Physical safeguards mean that the information, software and hardware are protected physically. An example of this is having control of the physical access – use of locks and having security personnel.
Administrative safeguard politics include having compliant security procedures and policies such as performing audits. Technical safeguards are methods for preventing breaches of security by electronic devices. The most widespread examples are firewalls and cryptography. [11]
Moreover, it is important not only to keep PHI but also to transport it correctly. This involves using secure communication channels, such as Virtual Private Networks (VPNs) or secure messaging systems. Additionally, regularly updating these systems is necessary.
Discover how we can help outsource Healthcare projects efficiently Speak to an expert today, and see how our on-demand IT talent and augmented teams can efficiently deliver value at every step of your roadmap.
Patient rights regarding PHI
Patients have several rights, established under the Health Insurance Portability and Accountability Act. They ensure privacy, transparency and control over personal health information.
- HIPAA special enrollment rights – individuals are allowed to enroll in a particular healthcare plan because of a special enrollment – loss of other health insurance coverage, birth, etc.
- Uses and disclosures of PHI when authorisation is needed – the patient has the right to request a copy of the authorization and to revoke the authorization at any time. This is not applicable when PHI is disclosed to HIPAA-covered entities and business associates.
- Notice of privacy practices for PHI – the notice displays the uses and disclosures of PHI as well as the patient’s rights.
- Right to inspect and receive a copy of their PHI.
- The right to amend PHI in case of inaccuracy or incompleteness.
- Accounting of disclosures of PHI over the past six years.
- The right to be notified of any breach of unsecured PHI in case there is the possibility that the PHI has been accessed, acquired, used, or disclosed without authorization. [12]
Protected health information is a critical part of the modern healthcare industry for improving economic and clinical health. It is necessary to preserve medical history, treatments, or care. This allows for delivering personalized and effective healthcare.
In the meantime, PHI presents significant challenges for securing information against breaches. Powerful tool in help of healthcare or weak link – only time will tell.
Sources
[1] Bowman, Marjorie A, and Rose A Maxwell. “A beginner’s guide to avoiding Protected Health Information (PHI) issues in clinical research – With how-to’s in REDCap Data Management Software.” Journal of Biomedical Informatics vol. 85 (2018): 49-55. doi:10.1016/j.jbi.2018.07.008
[2] https://www.hipaajournal.com/what-is-protected-health-information/
[3] https://www.ncbi.nlm.nih.gov/books/NBK9573/
[5] Goldstein, Melissa M, and Hyatt Thorpe Jane. “The First Anniversary of the Health Information Technology for Economic and Clinical Health (HITECH) Act: the regulatory outlook for implementation.” Perspectives in health information management vol. 7,Summer 1c. 1 Sep. 2010
[6] Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009. 2, The Value and Importance of Health Information Privacy. Available from: https://www.ncbi.nlm.nih.gov/books/NBK9579/
[7] Edemekong PF, Annamaraju P, Haydel MJ. Health Insurance Portability and Accountability Act. [Updated 2024 Feb 12]. In: StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2024 Jan-. Available from: https://www.ncbi.nlm.nih.gov/books/NBK500019/
[8] Jiang, John Xuefeng, and Ge Bai. “Evaluation of Causes of Protected Health Information Breaches.” JAMA internal medicine vol. 179,2 (2019): 265-267. doi:10.1001/jamainternmed.2018.5295
[9] https://www.hipaajournal.com/secure-patient-information-phi/
[10] Basil, Nduma N et al. “Health Records Database and Inherent Security Concerns: A Review of the Literature.” Cureus vol. 14,10 e30168. 11 Oct. 2022, doi:10.7759/cureus.30168
[11] Ismail Keshta, Ammar Odeh, Security and privacy of electronic health records: Concerns and challenges, Egyptian Informatics Journal, Volume 22, Issue 2, 2021, Pages 177-183, ISSN 1110-8665, https://doi.org/10.1016/j.eij.2020.07.003.
