By: Elizabeth Snell, HealthITSecurity.com
With another large health data breach being announced this week, it is essential that covered entities of all sizes understand the intricacies of PHI security. However, there is an important distinction in types of data that healthcare organizations keep on hand.
While individuals deserve to be notified if any of their personal information is potentially accessed by unauthorized users, not all data security incidents involve PHI. This week in our discussion of The HIPAA Privacy and HIPAA Security Rules, we’ll dissect what makes PHI security different, and why it is treated differently than other data security breaches.
What is protected health information?
The Department of Health and Human Services (HHS) does not consider all types of information to be under the umbrella of “protected health information.” The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Moreover, information, including demographic data that relates to the following is part of PHI:
- an individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual
- anything that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual
- common identifiers, including but not limited to name, address, date of birth, Social Security number
However, any employment records that a covered entity keeps “as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act” is excluded from the PHI definition. It is also important to note that there are no restrictions on the use of de-identified data, even if it includes health information. For a greater discussion on de-identifying data, click here.
What are key data breach prevention measures?
According to HHS, there are four general rules that covered entities must follow to ensure the protection of PHI:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
As healthcare organizations determine the best security measures for their facility, it is essential for them to consider their size, complexity, and capabilities. The CE’s technical, hardware, and software infrastructure must also be reviewed, as well as the costs of security measures. Finally, every facility must consider the likelihood and possible impact of potential risks to ePHI.
From there, organizations need to ensure they have the necessary administrative, technical, and physical safeguards in place. Again, a type of safeguard that works for one facility, might not be necessary for another.
“A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level,” HHS states on its website. “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.”
Risk assessments will also play a critical role in PHI security. Covered entities could prove through one of two ways that notification was not necessary if they have documentation proving that:
- its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure
- the application of any other exceptions to the definition of “breach.”
What happens when a PHI data breach does occur?
If PHI security is compromised in a healthcare data breach, the notification process is essential. However, the HIPAA breach notification rule states that when unsecured PHI is compromised, then covered entities and their business associates need to notify potentially affected parties. This is PHI “that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”
If more than 500 individuals are possibly at risk, then facilities must notify prominent media outlets serving the State or jurisdiction. Moreover, this notice must be given “without unreasonable delay” and in no case later than 60 days following the discovery of a breach. When more than 500 individuals are involved, the Secretary must also be notified.
If fewer than 500 people are affected, then covered entities need to make an annual report. However, these notices are due to the Secretary “no later than 60 days after the end of the calendar year in which the breaches are discovered.”
It is also essential for healthcare organizations need to have written policies and procedures in place that cover the breach notification process. Staff at all levels need to be trained on those policies and procedures.
Working toward strong PHI security
Not all healthcare data breaches will involve PHI, but covered entities need to remain vigilant in their approach to data security. Federal, state, and local regulations could all potentially have guidelines on how a data security breach should be handled. Some of those laws might not require that breach notification be given if medical data is compromised, but should addresses or Social Security numbers be exposed, then it is necessary.
Even so, healthcare organizations need to keep all safeguards up to date and ensure that they are compliant with state and local laws, as well as HIPAA compliant. PHI security can be compromised in numerous ways, which is why facilities have to be vigilant and able to adjust safeguards as necessary.