How to Secure Patient Information (PHI)
To best explain how to secure patient information and PHI, it is necessary to distinguish between what is patient information and what is PHI because although HIPAA requires PHI to be secured, it does not require all patient information to be secured. The easiest way to distinguish between PHI and other patient information is to define PHI first, because any remaining patient information does not need to be secured under HIPAA – although other privacy and security laws may apply.
What is PHI? And What is Not PHI?
The Administrative Simplification Regulations defines PHI as individually identifiable health information “transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”. To understand why some patient information might not be PHI, it is necessary to review the definition of individually identifiable health information:
“Information […] collected from an individual […] that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or […] can be used to identify the individual.”
These definitions suggest any information that does not relate to a patient´s condition, treatment for the condition, or payment for the treatment is not protected by the privacy and security standards. However, this is not the case.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Individually identifiable health information protected by the HIPAA privacy and security standards is most often maintained in one or more “designated record sets”, and any identifying non-health information added to a designated record set assumes the same privacy and security protections. An example of how PHI differs from patient information is:
- “Mr. Jones has a broken leg” is PHI because it identifies the patient and relates to a present health condition.
- If Mr. Jones’ address, the name of his wife, and their telephone number are added to the designated record set, it is also PHI.
- However, if a separate record of Mr. Jones’ wife and telephone number is maintained outside the designated record set (i.e., for contact purposes) it is not PHI because the separate record does not contain any health information.
In conclusion, some patient information can be both protected and not protected depending on where it is maintained. This doesn’t make it any easier to explain how to secure patient information and PHI, but it is important to be aware that not all patient information is PHI all the time.
How to Secure Patient Information that is PHI
To say PHI has to be secured is misleading because it implies Protected Health Information has to be locked away in fortress-like environment, whereas the HIPAA Privacy Rule allows “permissible” uses and disclosures for a variety of reasons. It is important to apply appropriate access controls to ensure authorized personnel can use or disclose PHI when necessary.
With regards to electronic PHI (ePHI), covered entities and business associates have to take greater care about how it is protected because healthcare data is highly sought by cybercriminals to commit medical identity fraud. Due the threat of data theft, many HIPAA compliance experts suggest organizations adopt a defense in depth strategy that includes as a minimum:
- A firewall to prevent unauthorized access to networks and data
- A spam filter to block malicious emails harboring malware
- A web filter to prevent staff accessing malicious websites
- An antivirus solution to detect malware from other sources
- Data encryption on all workstations and portable devices
- Encryption to protect data in transit – encrypted HIPAA-compliant email for instance
- An intrusion detection system that monitors for irregular network activity
- Auditing solutions that monitor for improper accessing of PHI
- Disaster recovery controls to ensure continued access to data in the event of an emergency
- Extensive backups to ensure PHI is recoverable in the event of an emergency
- Security solutions allowing the remote deletion of data stored on mobile devices in the event of loss or theft
- Security awareness and anti-phishing training for all members of the workforce
- Physical controls to prevent data and equipment theft
- Good patch management policies to ensure software is kept up to date and free from vulnerabilities
Informing Patients that Health Information is Protected
Although protecting PHI is a requirement of HIPAA, it can be beneficial to highlight to patients that the security of health information is taken seriously. Research has shown that, when patients trust their health information is being protected, they are more willing to share intimate details about themselves and their lifestyles with healthcare providers.
Having more information about a patient’s condition enables healthcare providers to make better informed decisions and more accurate diagnoses to determine the best course of treatment. This in turn leads to better patient outcomes and a reduction in patient readmissions, which can reflect in higher satisfaction scores from patients and their families.
Informing patients that health information is secured doesn’t have to go into details – a few lines of text added to a HIPAA Notice of Privacy Practices is often sufficient. The important thing to remember is that if an organization claims that health information is protected but fails to implement the necessary standards to secure patient information – and a data breach occurs – this could discredit the organization and will likely be taken into account by an investigation into the data breach.
How to Secure Patient Information FAQs
What privacy and security laws apply other than HIPAA?
Other than HIPAA, many states now have privacy and/or data security laws – some with stronger patient protections than HIPAA. Some state laws may only apply to certain types of data (i.e., Illinois’ Biometric Information Privacy Act), while others apply across state borders to protect the personal data of any citizen of the state wherever they are (i.e., Texas’ Medical Privacy Act).
What can happen if you secure too much information?
If you secure too much information, you could negatively impact healthcare operations. For example, a nursing assistant needs to phone Mr. Jones’ wife urgently but cannot access the telephone number because they do not have the right credentials to access the designated record set in which the telephone number has been secured.
Not only will the lack of access result in a delay in contacting Mr. Jones’ wife, but the nursing assistant will have to find a colleague with the right credentials to access the designated record set and interrupt what they were doing in order to get the phone number to make the call – an unnecessarily waste of resources.
What are the Administrative Simplification Regulations?
The Administrative Simplification Regulations are the section of the Public Welfare regulations (45 CFR) containing most of the standards that HIPAA covered entities and business associates have to comply with – i.e., the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Please note the Department of Health and Human Services’ “unofficial version” of the Regulations has not yet been updated to include the attestation requirements (§164.509) introduced in April 2024.
What are the permissible uses and disclosures of PHI?
The permissible uses and disclosures allowed by the HIPAA Privacy Rule generally relate to uses and disclosures for treatment, payment, and healthcare operations. However, other uses and disclosures are allowed when (for example) they are covered by a Business Associate Agreement with a third party organization or when a patient has authorized the use or disclosure.
How can a patient check their health information is being protected?
A patient can check their health information is being protected by requesting an accounting of disclosures from their health plan or healthcare provider. The accounting of disclosures should list the times when PHI has been disclosed for purposes other than those permitted by the HIPAA Privacy Rule in the previous six years. Although it is no guarantee of data security, the accounting of disclosures can be a good indicator of an organization’s HIPAA compliance.
Is all patient information considered PHI under HIPAA?
Not all patient information is considered PHI under HIPAA because PHI consists of individually identifiable health information that relates to an individual’s past, present, or future health condition, treatment for the condition, and payment for the treatment. Any non-health information maintained in the same designated record set assumes the same protections as PHI.
However, any non-health information not maintained in the same designated record set is patient information not considered PHI. For example, if a hospital maintains a separate database of patient names and telephone numbers to arrange transportation to and from the hospital, and the database does not include any individually identifiable health information, the patient information in the database is not PHI.
What is an example of information that can be both protected as PHI and not protected?
An example of information that can be both protected as PHI and not protected is an emotional support animal. Because an emotional support animal is an identifier (because a patient could be identified by the animal), if details of the animal were maintained in a designated record set with other PHI, it assumes the same protections as the PHI.
However, if details of the animal are maintained in a dataset that does not include individually identifiable health information (i.e., to advise transportation services that the patient has an emotional support animal), the information is not protected by HIPAA – although other privacy laws may apply if the information is disclosed without authorization.
How can securing patient information improve the patient-provider relationship?
Securing patient information can help improve the patient-provider relationship by helping develop an environment of trust. When patients trust that their health information is being protected, they are more willing to share intimate details with healthcare providers. This can lead to better-informed decisions, more accurate diagnoses, better patient outcomes, reduced readmissions, and higher patient satisfaction scores.
What could happen if an organization claims health information is protected but fails to implement the necessary standards?
If an organization claims health information is protected, but fails to implement the necessary standards and the failure to implement the necessary standards results in a data breach, the consequences could include a financial penalty from HHS’ Office for Civil Right and State Attorneys General, a loss of credibility for the organization, and a loss of trust from patients who believed their health information was protected.
Why is healthcare data highly sought by cybercriminals?
Healthcare data is highly sought by cybercriminals because it contains personally identifiable health information that can be used to commit identity theft, insurance fraud, and other forms of cybercrime. Healthcare data can attract high prices on the dark web because it can be used by uninsured and underinsured individuals to obtain expensive treatments. Insurance fraud increases hospital and health plan costs, which can be passed onto employers and employees as higher premiums.
