You might have heard about PHI in relation to medical documents, prescriptions, forms, appointments, billing information, or records of communication with your healthcare provider. But what is PHI and why is it so important to keep it under the wraps and disclose it only when necessary?
Well, Health Insurance Portability and Accountability Act (HIPAA) Compliance is in place to ensure the security, integrity, and sanctity of personal data and information. HIPAA requires covered entities to implement safeguards for Protected Health Information or PHI as it is commonly referred to.
What does PHI mean?
Generally, HIPAA Protected Health Information is any data or information found in an individual’s medical record which was used during the treatment or diagnosis that can be utilized to personally identify that individual.
It is a broad term that includes many identifiers and data which was recorded in the course of the treatment and the billing process. The collection of information as well as safeguarding it requires proper care and training.
What is considered PHI?
PHI is not just limited to medical records or health markers. In fact, it can be any identifier that is used during the course of a patient’s healthcare. However, not all the information documented during the treatment is labeled PHI. For one, the data should be personally identifiable to the patient. Secondly, when the collected information has been disclosed or shared with a covered entity to fall under PHI and be HIPAA compliant.
PHI can include:
- The physical condition or health of a patient (past history, present condition)
- All health-care services provided to a patient
- All records of payments and bills for the services provided to a patient
PHI may include the following identifiers:
- Phone number
- Email address
- Date of Birth
- Social security number
- Demographic information
- Employment records
- Medical record number
- Billing information
- Prescription information
- Beneficiary numbers
- Health insurance
- Health records
- Health status
- Payment history
- Account number
- Family members
- Discharge date
- Admission date
- Biometric identifiers
What is ePHI?
Electronic Protected Health Information or ePHI is PHI that is created, saved, transferred, or received electronically. The different forms in which ePHI can be stored include the hard drive of a computer, external hard drives, USB drives, magnetic tape, and smartphones. Transferring of ePHI is done via ethernet, wi-fi, DSL, or cable network connections.
ePHI was described in the HIPAA Security Rule which compelled organizations to implement physical, technical, and administrative safeguards to protect the integrity and sanctity of the collected information.
Where the HIPAA Privacy rule applies to every PHI in every form that is available, the HIPAA Security Rule applies only to ePHI and excludes the oral and paper version of the data. The Security Rule was crafted to ensure the protection of ePHI and to have a check over the business associates who handle ePHI.
Difference Between Consumer Health Information (CHI) and Protected Health Information (PHI)
The major difference between Consumer Health Information and Protected Health Information is that in the case of HIPAA, you need to follow the guidelines set by HIPAA in their compliance requirements. Consumer Health Information does not need to comply with the HIPAA guidelines.
So how do you identify the information between the two? Check if the following two conditions are true: the information personally identifies the patient; the information is used by a covered entity during the course of treatment and care. Only then you are dealing with PHI and need to be HIPAA compliant.
On the other hand, if the information collected is personally identifiable, but it is not to be shared with a covered entity at any point in time, you can identify that as Consumer Health Information and does not need to be HIPAA compliant.
The HIPAA Privacy and Security rules define methods to limit unauthorized access to PHI. The methods include physical, technical, and administrative safeguards to protect against anticipated threats, especially for covered entities.
Physical Safeguards: Instructions that include keeping electronic devices and records having PHI under lock and supervision
Technical Safeguards: Includes the use of technology such as setting up encryption and firewalls to protect PHI
Administrative Safeguards: Includes policies to restrict access of PHI to specific personnel, educating and training staff about the importance of security and privacy.
It is up to the covered entities to evaluate their IT capabilities and identify possible risks to PHI. HIPAA does not specifically list down the steps or the technology that should be used by entities, but the strategy should be such that it effectively prevents malware and hackers from gaining access to patient data.
It is important for organizations to take proactive measures as defined by HIPAA to protect PHI. They must implement physical, technical, and administrative safeguards to make sure that the data and private information they have stays safe and confidential.
The fact that HIPAA has left the implementation of safety measures to the discretion of the individual organization can sometimes be frustrating. Organizations do not know how exactly they have to be HIPAA compliant, while the cost of non-compliance is very high. Below are the actions that your organization needs to take in order to be compliant:
- Arrange frequent employee training on HIPAA rules to create awareness regarding the possible risks to data privacy
- Define policies to prevent unauthorized access to PHI
- Use methods to store and transfer PHI that is defined by HIPAA
- Invest in data loss prevention controls such as endpoint security solutions and encryption
- Appoint a HIPAA Privacy Officer in your organization
UControl Billing can help your organization become HIPAA compliant when it comes to PHI, offering a complete framework from training your employees, identifying the possible threats to help adopt the best procedures and policies, so that you can spend more time focusing on your business. Start your journey to compliance, today!
A couple of years ago, I executed the effective plan of creating a Medical billing and Coding company named U Control Billing. The company aims to bring revolutionary advancements to foster medical billing and coding revenues. As an official member of HIA-LI and MGMA, I feel honored in providing networking opportunities, problem-solving, and improving the revenue management cycle.