The Ultimate Guide to Handling Protected Health Information (PHI)

Simar Kohli
January 6, 2022

Introduction

As part of a healthcare-adjacent field, you’ve likely heard a ton about HIPAA and how it mandates protecting patient privacy. While HIPAA’s general concepts are fairly straightforward, putting them into practice is much more complicated. The shift to digital healthcare has created many challenges around identifying protected health information (PHI), determining whether an organization is a covered entity, and ensuring PHI is utilized in a compliant manner. Keeping up with changing regulations and technology can be difficult, but this post will serve as your guide to handling PHI from creation all the way through deletion.

What Constitutes Protected Health Information (PHI)?

The proliferation of technology into healthcare has made determining what constitutes PHI more difficult. Consumers are sharing increasing amounts of health information to companies that operate very differently than traditional healthcare organizations. This section will cover identifying PHI while the next part of the guide will focus on what understanding what makes an organization a covered entity and/or business associate.

The HIPAA Privacy Rule defines PHI. Under the HIPAA Privacy Rule, protected health information (PHI) is defined as “individually identifiable health information” which covers an individual's past, present, or future medical conditions. It also includes details on administrating healthcare and any payments related to administrating said care. Some examples of these are test results, patient demographics, and insurance information.

What are the protected health information (PHI) identifiers?

HIPAA outlines 18 identifiers that constitute PHI since they can be used to identify an individual. These should not be disclosed unless permitted by HIPAA or unless the patient provides authorization to do so. Here are the 18 identifiers.

  • Name
  • Dates (except year)
  • Telephone numbers
  • Geographic data for subdivisions smaller than a state
  • Street addresses, city, county, precinct, and zip code
  • First three digits of a zip code with over 20,000 people are not PHI
  • If a county has under 20,000 people, the first three digits are changed to 000
  • Fax numbers
  • SSN
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers such as license plates
  • Web URLs
  • Device identifiers and serial numbers
  • IP Addresses
  • Full face photos
  • Biometric identifiers (ex. fingerprints or retina)
  • Any unique identifier or code

The list above is somewhat dated for 2022. Covered entities should protect information like social media usernames and other digital identifiers in addition to the contents of the list.

Exceptions to the definition of PHI

There are a few exceptions to HIPAA’s definition of protected health information (PHI). These can be confusing since they often contain personally identifiable information.

  • Data from wearable devices.
  • Consumers are using devices such as smartphones and fitness watches to track their health at a rapidly growing rate. These devices collect lots of health data including heart rate, temperature, and more. If the company that makes the devices and collects the data stores information it is not PHI.
  • This data becomes PHI if it is shared with healthcare organizations or used to administer healthcare.
  • Education Records:
  • Things such as allergies or disabilities in education records are not considered PHI.
  • Employment Records:
  • Much like education records, employment records are not considered PHI. OHSA claims are explicitly listed as an exception to disclosure laws.  

If you are not sure whether information is considered PHI, it is better to treat it with the same caution as you would other medical data. Playing it safe can only insulate your company from potential legal action in case of unauthorized disclosure or a breach.

When is PHI not PHI?

Most people believe all medical records can be classified as protected health information (PHI) in HIPAA although there are varying exceptions to this rule. First, there is the person, company, or service that is collecting this info.

An excellent example is the health tracker, e.g. physical instruments or apps for mobile devices. These devices can track health information like heart rate, blood pressure, and other medical parameters that would constitute PHI under the ACA. While the app is providing healthcare services, HIPAA does not apply to it. But, because the app is not a covered entity, or a business associate working on behalf of a covered entity, the data the app collects and stores is not considered PHI. Instead, it is considered consumer health information or personal health information. Because the data is not protected health information (PHI), the app maker does not need to be HIPAA compliant.

The above example would change if the app maker worked for a physician or hospital. In this scenario, by using the app to extend healthcare services, the physician or hospital would refer patients to the app and the app maker would be considered a business associate under HIPAA. In this case, the data that the app maker collects and stores would be considered PHI and the app maker would need to be HIPAA compliant.

What is ePHI?

Electronic protected health information (ePHI) is any information relating to health created and stored electronically. It's pretty simple in that it is digital PHI. HIPAA security rules provide specific guidelines on the methods of monitoring ePHI, meaning companies that collect and store electronic protected health information need to be HIPAA compliant.

HIPAA Data Storage, Cloud Storage, and ePHI

The cloud has changed almost everything when it comes to HIPAA and handling of PHI. As companies have come to rely on cloud providers for various services, those close customers have also come to rely on those cloud providers for various aspects of HIPAA compliance. In order to be HIPAA compliance, the onus is on cloud customers to ensure all requirements of HIPAA, whether they fall to the customer or the cloud provider, are followed. This can get complicated quickly and can make proving HIPAA compliance hard for cloud customers.

Is my Organization a Covered Entity?

One of the most important aspects of HIPAA is that it only applies to covered entities (CEs) and business associates (BAs). A CE fall into one of three categories: health plans, healthcare clearinghouses, or healthcare providers.

  • Health plans include things such as insurance companies, HMO’s, government programs, and employer health plans.
  • A healthcare clearinghouse is a business that processes non-standardized healthcare information into a standardized format and transmit it to other organizations. They are often layers between providers and plans.
  • Ex. a company that takes data from a doctors office (provider) and processes it into a standardized format for an insurance company (plan).
  • Healthcare providers are one typically thinks of when healthcare is brought up. These are organizations that actually administer healthcare such as doctors offices, physical therapists, psychologists, etc.

The Center for Medicare and Medicaid Services has published a guide to help you determine if your organization is considered a covered entity. If you are still unsure as to whether your organization is a covered entity, it is better to assume that you must abide by HIPAA requirements as a precautionary measure and that the data you collect and store is protected health information (PHI), not consumer health information.

Is my Organization a Business Associate (BA)?

HIPAA also applies to business associates of covered entities. BAs are organizations that provide services for covered entities that involve PHI. BAs typically don’t come into direct contact with patients, but often deal with large amounts of health data. Some examples of BA are collections agencies, medical device makers (that utilize PHI in the design or build process), and answering machine services.

A general rule of thumb is that a company is a business associate if they need to access protected health information (PHI) to carry out their functions. A cleaning company that may inadvertently access healthcare documents with PHI would not be considered a business associate.

Since covered entities are responsible for their business associates, they will create what’s known as a business associate agreement (BAA) that specifies the different duties and liabilities the organizations have. In general a covered entity should: identify every business associate, make sure the BA adheres to HIPAA regulations, and sign a BAA with every associate to protect both firms.

Subcontractors under HIPAA

BAs of BAs are known as subcontractors. If a subcontractor comes into contact with PHI, they must sign a BAA with the business associate they are working for. The most common example of subcontractors are cloud service providers such as AWS. If PHI is stored in the cloud, the company utilizing the cloud must sign a BAA with the service provider. Most cloud service providers will have a standardized shared responsibility agreement. In this scenario the company offering the cloud service is responsible for ensuring the security of the cloud itself while the company utilizing the cloud provider is responsible for security inside the cloud. If your organization is a covered entity, make sure your business associates have BAA’s in place with subcontractors. If your company is a BA to a covered entity, make sure that every subcontractor signs a BAA.

How Should my Organization Handle PHI?

Dealing with protected health information (PHI) can be tricky. The next few sections will teach you how to handle PHI in accordance with HIPAA requirements. These requirements are defined in the HIPAA Security Rule.

How to Store and Access PHI in a Compliant Manner

The HIPAA Security Rule mandates that covered entities and business associates have administrative, physical, and technical safeguards for any physical or digital protected health information (PHI). These requirements need to be followed to achieve HIPAA compliance and to handle protected health information (PHI). Having these safeguards is essential to preventing breaches and upholding patient privacy. Here are some required security controls contained in the HIPAA Security Rule.

Administrative Safeguards in the HIPAA Security Rule

Administrative controls primarily focus on policies. Every organization should have all employees with access to computer systems complete security awareness training. In addition to security awareness training, organizations should require specific HIPAA training for various departments.  Companies should also conduct a risk assessment to find and remedy any potential vulnerabilities. Any access, transmission, or modification to PHI should be logged for potential audits. HIPAA mandates keeping logs of your security policies for 6 years beyond their last usage. Any modifications to security sytems should also be logged for at least 6 years.

Physical Safeguards in the HIPAA Security Rule

Although PHI is becoming more and more digital, it is still important to have sufficient physical controls. Some physical safeguards include security systems at facilities containing PHI, locking file cabinets for written PHI, limited access to workstations containing PHI, and other barriers to entry for areas storing private information. For many health-tech organizations, physical security is mostly focused on device security. Make sure you can remotely wipe any devices that contain PHI if you lose them. Avoid writing passwords down and make sure that people can not see your screen if you are accessing PHI.

Technical Safeguards in the HIPAA Security Rule

Technical safeguards are arguably the most important form of protection in 2022. Since most private data is hosted on the cloud, proper network and device security are crucial to preventing breaches. If you are using a third party cloud service, make sure it is configured to handle PHI. Amazon Web Services, Microsoft Azure, and Google Cloud all have ways to utilize their services in a compliant manner. If you are using your own servers, make sure to have a network firewall in place and log the status of said firewall. All employees should have strong passwords and utilize multi-factor authentication for logging into systems with PHI. One additional technical control is proper transmission security. Having secure storage does not mean much if you can not send data safely.

Physical Controls in HIPAA in the HIPAA Security Rule

Any physical or digital location you secure PHI should have all of the controls necessary to keep data safe. An internal risk assessment is one way to find vulnerabilities, but an audit is a more thorough way to secure your systems. Consider using an automated tool such as Vanta to undergo an audit and remedy your weaknesses.

How to De-identify PHI

Covered entities and business associates must only protect data that is classified as PHI. This means that health data that can not be linked to any individuals is no longer protected. De-identifying is a way to modify data to take the ‘P’ out of PHI so it can be shared freely. Once data has been de-identified, HIPAA compliance is not longer something that you need to worry about when it comes to the management of that data.

There are two primary methods of de-identification, safe harbor and expert determination.

Safe Harbor Method of De-identification of PHI

The safe harbor method involves removing identifiers from a data set. These identifiers include name, addresses, and much more. The full list can be found on the HHS website. After the data has been modified, the next step in safe harbor is ‘resolving actual knowledge’. This means verifying that recipients have no way to re-identify data.

When using safe harbor, some records may need to be completely omitted if de-identification is not possible. For example, if you are helping conduct research on how different jobs affect blood pressure, you may need to remove records of CEOs if there are only one or two in the study. An extremely small sample size leads to an increased possibility of re-identification. You should work with the recipients of data and confirm they have no methods to connect data with individuals.

Expert Determination Method of De-identification of PHI

The expert determination process involves hiring an expert on HIPAA and privacy to determine if data can be used to identify individuals. When choosing someone for expert determination, make sure they are trained on HIPAA regulations, statistics, and other relevant information. One distinction between expert determination and safe harbor is the recipient of the data that is de-identified. Expert determination is only for specific recipients while safe harbor is for any hypothetical recipient.

How Disclose and Transmit PHI in a Compliant Manner

One of the largest components of HIPAA is guidelines for disclosing PHI. Covered entities are allowed to disclose PHI with their patients' authorizations, but the rules for disclosure without authorization are more complex.

Allowable disclosures of PHI

The most prominent reason for disclosing PHI is for treatment, payment, and healthcare operations activity. This includes scenarios where doctors, nurses, and other clinicians use PHI to determine how to best treat a patient or to review prior treatments. PHI may also be used to bill patients or their insurance providers. They may also share PHI with third-party covered entities if the third party also has a relationship with the patient and if the disclosure is for the purposes given above.

Mandatory disclosures of PHI

HIPAA also has certain situations where disclosure is mandatory. These need to be followed to be HIPAA compliant. Some examples include preventing the spread of infectious diseases, situations with suspected child or elder abuse, and to comply with court orders. The full list of scenarios can be found on the HHS website.

Transmitting (sending and receiving) PHI

Another important precaution for protecting patient privacy is only transmitting PHI using secure methods. The methods you use should be HIPAA compliant. This means avoiding SMS, email, and other unencrypted forms of communication. Many covered entities use patient portals that are already HIPAA compliant.

What about Slack and HIPAA?

Another option is to use a secure messaging platform or service that does comply with HIPAA. One example that we love at Haekka is Slack for HIPAA. Slack signs BAAs and offers a simple guide for how to use it for sending and receiving PHI. In addition to signing a BAA with Slack, companies need to be on a Slack Enterprise Grid plan.

What about paper records?

Despite most of healthcare adopting electronic health records, there remains tons and tons of paper medical records. If you are sending paper copies of PHI, make sure to use fax or first class mail. It’s your responsibility to protect PHI in transit, so make sure to use proper channels.

HIPAA Compliance and Retaining PHI  

One important part of the Privacy Rule is that it grants individuals the right to receive copies of their PHI. Covered entities have 30 days to comply with a patients written request for a copy of whats known as the designated medical record. The designated medical record is an information set meant to help clinicians make healthcare decisions. It includes things such as admission records, test results, billing documents, and official doctor’s recommendations. Patients have the right to correct inaccuracies in the designated medical set. HIPAA also requires companies keep logs of things such as notice of privacy policies, employee training, data recovery plans, and much more.

The full list of HIPAA retention requirements can be found here. Make sure your company retains the data necessary in case someone submits a request for information for their PHI or your policies.

Retention of compliance related data under HIPAA

Under the Privacy Rule, HIPAA does have other data retention requirements, namely that companies should retain information related to their compliance activities. This includes things like policies and procedures as well as risk assessments.

----

Bring HIPAA Training to Slack!

At Haekka, we offer training to get your entire workforce up to speed on how to handle PHI. The content is delivered in Slack, so anywhere your staff works. Better yet, we auto-generate auditor-approved evidence so it's super simple to prove your doing all the training HIPAA requires. To learn more, let's setup a demo.