What exactly is PHI?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that governs healthcare privacy regulations. In the early 1990s, it became evident that computers and digital records would play a significant role in keeping health data and that something needed to be done to safeguard sensitive information. Since 1996, Congress has enacted legislative changes to adapt HIPAA to new technological advances. The law still serves the same aim today: to protect Protected Health Information in order to keep people safe.
The majority of HIPAA laws and regulations are concerned with the protection of PHI. Understanding how to manage PHI is really critical for HIPAA compliance.
To begin, you first understand what PHI is. According to HIPAA, Protected Health Information is any health-related information linked with a unique identifier that matches a specific individual.
Identifiers include, but are not limited to:
- Date of birth
- Social security number
- Email address
- Phone number
Consider other data elements that could be an identifier (and therefore Protected Health Information) which are often overlooked:
- Biometric data (fingerprints, retina scans, etc.)
- Medical record numbers
- Medical device serial numbers
- Health plan account numbers
- Dates of visits, admission, discharge, and treatment
If the data can be used to identify a patient, it should be regarded as a possible identifier and classified as Protected Health Information.
Protected Health Information also includes out-of-date information. A hacker, for example, could misuse an old phone number or address to identify an individual. Simply said, Protected Health Information exists at the intersection of any type of identifier and a piece of health information.
How could I come into contact with Protected Health Information?
PHI can be electronic (ePHI), verbal, or written. All sorts of privacy are subject to the same standards. Your job may need you to know and use someone’s PHI so they can pay for medical expenditures or receive treatment. Everyone who comes into contact with PHI must understand how to keep it secure. Even little errors have the potential to result in a data leak.
When working with Protected Health Information, always use the bare minimum of PHI to perform your activity. In other words, keep the information you see to yourself; do not discuss it with anyone, including coworkers.
HR personnel, IT staff, health plan administrators, accounts payable, and business owners/executives are likely to encounter PHI. When dealing with such sensitive information, they must all exercise extreme caution.
If you find Protected Health Information exposed in your office, notify your Privacy Officer or Security Officer immediately.
Who is HIPAA designed to protect?
HIPAA is a federal regulation that concerns everyone. It is never appropriate or legal to compromise someone else’s Protected Health Information. All patients, employees, clients, and others whose PHI is in your care have the right to remain anonymous.
Who is required to comply with HIPAA?
HIPAA compliance is required for all Covered Entities (including health care providers). Covered Entities are businesses that offer health insurance plans and medical, dental, and vision providers to their employees.
HIPAA covers their Business Associates and Business Associate Subcontractors as well. All of these organizations must do a risk assessment, train staff, and develop security and privacy policies and procedures.
Protected Health Information is frequently handled by vendors and third-party firms working for Covered Entities. Accountants, attorneys, document shredding vendors, and IT vendors, are all considered Business Associates or Business Associate Subcontractors. They, too, must go through the HIPAA compliance and security of Protected Health Information process.
As a result, if you work with any third-party organizations or vendors, a signed Business Associate or Business Associate Subcontractor Agreement is required.
If a Business Associate or one of their Subcontractors exposes protected information without a formal agreement, you could be held accountable for their error. Some businesses sign a BAA without first completing the HIPAA compliance process or ensuring that the other party has done their homework. If there is a breach, this can be a legal nightmare for both the Covered Entity and the Business Associate.
What are the penalties for HIPAA violations?
HIPAA violations occur when Covered Entities expose Protected Health Information, whether knowingly or accidentally, even if it is done indirectly through a Business Associate or Business Associate Subcontractor.
Employees and employers who breach the HIPAA law face consequences. Companies can be sued by the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS), and individuals can face fines ranging from $100 to $250,000 per violation, as well as imprisonment for one to ten years for severe offenses.
Furthermore, HIPAA mandates all firms that handle PHI to implement penalty policies. Sanctions may include letters of reprimand, suspension without pay, and/or removal from the workforce, depending on the severity of the infraction.
Good practices for managing Protected Health Information
You can never be too cautious when dealing with Protected Health Information. To keep your workstation secure, implement a clean desk policy.
Never leave your computer unlocked while away from your workstation, and keep files in a secure location when not in use. Physical documents holding sensitive information/PHI should be kept in a secured file cabinet.
Obey your company’s policies and practices, no matter how much effort they require. These are in place to prevent data breaches, and they work only if everyone respects the rules. As a result, it is critical that you become aware of these procedures.
To summarize, failing to follow HIPAA guidelines regarding the proper management of Protected Health Information exposes you to significant fines, potential lawsuits, and negative publicity. Above all, your reputation is determined by how successfully you serve those whose information you are supposed to protect.