Healthcare is a data-rich industry. These data are created across the entire healthcare ecosystem; they represent a wealth of information that can be used to ultimately lead to better patient outcomes. The amount of data generated is unprecedented.
Research from IDC has shown health data growth to be exponential: By 2020, the industry to will generate around 2,314 exabytes (EB) of data. Just to put that into perspective, 1 EB is equal to 1 billion gigabytes.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has created a specific definition of health data that requires protection under the auspices of the Privacy Rule. These data are referred to as Protected Health Information (PHI) and fall under the umbrella of “individually-identifiable health information,” “identifiable” being the operative word which we will talk more about later. The Privacy Rule also specifies which organizations or “covered entities” come under the ruling that are required to implement the requirements of the HIPAA Privacy Rule.
What Is Considered Protected Health Information Under HIPAA?
Any data that is created, collected or disclosed during interaction with healthcare services and that can be used to uniquely identify an individual is defined as Protected Health Information (PHI) under HIPAA. The key word here is “identify”: If a snippet of data or a data set associated with an interaction with a healthcare provider or associate can be used as an “identifier” to an individual, it is PHI.
PHI has 18 of these identifiers including names, zip code, medical record numbers, IP address, Social Security Number, and so on. (A full list can be found on the California Department of Health Care Services website or below, following the sources). If any of the identifiers are used in any disclosure, it will be deemed to be an identifying action. Even partial identifiers like initials cannot be disclosed and are deemed PHI.
There is also coverage in HIPAA for electronic PHI or ePHI. This is the electronic version of health information and includes biometrics, photos, and images such as medical scans. The HIPAA Security Rule sets out the limits of protection for covered entities and their associates.
What Is Not PHI
PHI is associated with patients (including research patients) and members of a health plan. PHI is not usually data associated with employers or students (e.g., doctors and trainee medics) that are not linked with healthcare records.
Health data that is “unidentified,” that is data with identifiers removed from the information, no longer fall under the protection of HIPAA. Research data is often deidentified to allow for easier sharing of data.
Protection of PHI
The HIPAA Security Rule does not specify which security measures must be used to protect PHI. Instead, it suggests policy considerations such as risk analysis and establishing a life cycle of PHI within a given organization.
HIPAA compliance safeguards should be considered for each of the following areas:
- Physical. For example:
- Keeping paper records containing PHI in locked cabinets
- Ensuring that laptops are never left in unsafe places
- Using robust access control to physical areas that may contain large amounts of PHI data (e.g., server rooms)
- Technical. For example:
- Using encryption such as full-disk encryption on laptops that contain any PHI
- Implementing secure online communications, e.g., using HTTPS on sites where PHI can be accessed
- Using web-based security as applicable
- Applying robust authentication measures to access sites, databases and so forth which contain PHI
- Administrative. For example:
- Using privileged access management to control who can access PHI
- Using security awareness programs to ensure a company-wide and business associate awareness of HIPAA regulations
HIPAA is enforced using strict fines and breach notification rules. The Breach Notification Rule states that notification must be made “without unreasonable delay and no later than 60 days” if it impacts 500 or more individuals. The Office for Civil Rights (OCR) posts health information breaches on its site for the public to see. It is worth noting that ignorance of HIPAA requirements cannot be used as a defense
Why Protect PHI?
If you are determined to be a “covered entity” or a business associate of such an entity, you must abide by the rules of HIPAA to protect the health information of your customers, patients, and clients. By doing so, you not only avoid fines and public shaming, but you prove to your user base that you respect and take seriously, the security and privacy of, that most precious commodity, health data.
Full List of the 18 PHI Identifiers
- Names (full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic or code except the unique code assigned by the investigator to code the data
Summary of the HIPAA Privacy Rule, HHS.gov
HIPAA for Professionals, HHS.gov
List of HIPAA Identifiers, California Department of Health Services
Cases Currently Under Investigation, U.S. Department of Health and Human Services, Office of Civil Rights