How to Secure Patient Information (PHI)

By | January 1, 2023
0 Comment

The issue of how to secure patient information and PHI is challenging because HIPAA does not require all patient information to be secured. Additionally, if Protected Health Information (PHI) is secured too much, it can prevent the flow of information needed to perform treatment, payment, and healthcare operations efficiently.

To best explain how to secure patient information and PHI, it is necessary to distinguish between what is patient information and what is PHI. The easiest way to do this is by defining PHI first, because any remaining information relating to a patient that is not PHI does not need to be secured under HIPAA – although other privacy and security laws may apply.

What is PHI? And What is Not PHI?

The Administrative Simplification Regulations defines PHI as individually identifiable health information “transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”. To understand why some patient information might not be PHI, it is necessary to review the definition of individually identifiable health information:

“Information […] collected from an individual […] that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or […] can be used to identify the individual.”

These definitions suggest any information that does not relate to a patient´s condition, treatment for the condition, or payment for the treatment is not protected by the privacy and security standards. However, this is not the case.

Individually identifiable health information protected by the privacy and security standards is maintained in one or more “designated record sets”, and any identifying non-health information added to a designated record set assumes the same privacy and security protections. Therefore:

  • “Mr. Jones has a broken leg” is PHI because it identifies the patient and relates to a present health condition.
  • If Mr. Jones´ address, the name of his wife, and their telephone number are added to the designated record set, it is also PHI.
  • However, if a separate record of Mr. Jones´ wife and telephone number is maintained outside the designated record set (i.e., for contact purposes) it is not PHI because the separate record does not contain any health information.

In conclusion, some patient information can be both protected and not protected depending on where it is maintained. This doesn´t make it any easier to explain how to secure patient information and PHI, but it is important to be aware that not all patient information is PHI all the time.

How to Secure Patient Information that is PHI

To say PHI has to be secured is misleading because it implies Protected Health Information has to be locked away in fortress-like environment, whereas the Privacy Rule allows “permissible” uses and disclosures for a variety of reasons. Therefore, although it is important to apply access controls to ensure only authorized personnel can use or disclose PHI, it is not necessary for PHI to be “secured”.

With regards to electronic PHI (ePHI), Covered Entities and Business Associates have to take greater care about how it is protected because healthcare data is highly sought after by cybercriminals. Consequently, many compliance experts suggest organizations adopt a defense in depth strategy that includes as a minimum:

  • A firewall to prevent unauthorized access to networks and data
  • A spam filter to block malicious emails harboring malware
  • A web filter to prevent staff accessing malicious websites
  • An antivirus solution to detect malware from other sources
  • Data encryption on all workstations and portable devices
  • Encryption to protect data in transit – encrypted email for instance
  • An intrusion detection system that monitors for irregular network activity
  • Auditing solutions that monitor for improper accessing of PHI
  • Disaster recovery controls to ensure continued access to data in the event of an emergency
  • Extensive backups to ensure PHI is recoverable in the event of an emergency
  • Security solutions allowing the remote deletion of data stored on mobile devices in the event of loss or theft
  • Security awareness and anti-phishing training for all members of the workforce
  • Physical controls to prevent data and equipment theft
  • Good patch management policies to ensure software is kept up to date and free from vulnerabilities

Informing Patients that Health Information is Protected

Although protecting PHI is a requirement of HIPAA, it can be beneficial to highlight to patients that the security of health information is taken seriously. Research has shown that, when patients trust their health information is being protected, they are more willing to share intimate details about themselves with healthcare providers.

Having more information about a patient´s condition enables healthcare providers to make better informed decisions and more accurate diagnoses to determine the best course of treatment. This in turn leads to better patient outcomes and a reduction in patient readmissions, which can reflect in higher satisfaction scores from patients and their families.

Informing patients that health information is secured doesn´t have to go into details – a few lines of text added to a Notice of Privacy Practices is often sufficient. The important thing to remember is that if an organization claims that health information is protected but fails to implement the necessary standards to secure patient information – and a data breach occurs – this could discredit the organization and will likely be taken into account by an investigation into the data breach.

How to Secure Patient Information FAQs

What privacy and security laws apply other than HIPAA?

Many states now have privacy and/or data security laws with stronger patient protections than HIPAA. Some laws may only apply to certain types of data (i.e., Illinois´ Biometric Information Privacy Act), while others apply across state borders to protect the personal data of any citizen of the state wherever they are (i.e., Texas´ Medical Records Privacy Act).

What can happen if you secure too much information?

Securing too much information can negatively impact healthcare operations. For example, a nursing assistant needs to phone Mr. Jones´ wife urgently but cannot not access the telephone number because they do not have the right credentials to access the designated record set in which the telephone number has been secured.

Not only will the lack of access result in a delay in contacting Mr. Jones´ wife, but the nursing assistant will have to find a colleague with the right credentials to access the designated record set and interrupt what they were doing in order to get the phone number to make the call – an unnecessarily waste of resources.

What are the Administrative Simplification Regulations?

The Administrative Simplification Regulations are the section of the Public Welfare regulations (45 CFR) containing most of the standards that HIPAA Covered Entities and Business Associates have to comply with – i.e., the Privacy Rule, the Security Rule, and the Breach Notification Rule. The Department of Health and Human Services has compiled an unofficial version of the text here.

What are the permissible uses and disclosures of PHI?

The permissible uses and disclosures allowed by the Privacy Rule generally relate to uses and disclosures for treatment, payment, and healthcare operations. However, other uses and disclosures are allowed when (for example) they are covered by a Business Associate Agreement with a third party organization or when a patient has authorized the use or disclosure.

How can a patient check health information is being protected?

Patients can request an accounting of disclosures from their health plan or healthcare provider which should list the times when PHI has been disclosed for purposes other than those permitted by the Privacy Rule in the previous six years. Although it is no guarantee of data security, the accounting of disclosures can be a good indicator of an organization´s HIPAA compliance.

The post How to Secure Patient Information (PHI) appeared first on HIPAA Journal.