HIPAA and PHI Information
What are HIPAA and PHI?
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 and includes provisions that require that an individual's personal health information remain secure and confidential. The 1996 law was reinforced by the passage of the HITECH Act in 2006, which addressed the risks created by the use of electronic medical records. As healthcare organizations keep moving to electronic record keeping, the threats to data security become greater. In addition, the 2006 law significantly increased the fines and penalties for HIPAA violations.
Basically, HIPAA does four things by which every person or organization who comes in contact with an individual's healthcare data is affected. HIPAA creates (1) a right for patients to have the privacy of their healthcare data maintained and secured, and it (2) creates security regulations regarding all Protected Health Information and electronic Protected Health Information , (3) requires enforcement, and finally (4) notification of appropriate agencies and affected individuals in the case of a data breach. It is the requirement that specific security protocols be in place to protect data that this paper will be discussing. However, before getting into the issue of protecting data, we need to understand exactly what data HIPAA seeks to protect.
Protected Health Information
#HIPAA acts to regulate and secure what is known as Protected Health Information (PHI), sometimes known as Individually Identifiable Health Information (IIHI). With the passage of the #HITECH Act, PHI now also includes electronically stored and maintained PHI, known simply as #ePHI.
#PHI and #ePHI are any data, or combination thereof, that can be used to identify an individual. It doesn't take much for information to qualify as PHI. Just a few examples of what constitutes PHI: a driver's license number, license plate numbers, photos, names of relatives, identified test results, SSN, medical ID, age, vmail, URLs, telephone numbers, email and postal addresses, and medical images. In other words, mostly everything collected by a healthcare organization falls under the protections of HIPAA. More importantly, any outside organizations that provide services to health-related organizations are also in “possession” of PHI. As a result, any organization who comes into contact with PHI, matter how tangentially, is covered by HIPAA. Such organizations are responsible for maintaining PHI security, and subject to fines and penalties if PHI is breached. Additionally, they are now required to do a HIPAA risk assessment of all of their vulnerabilities and map out how they will work to eliminate or mitigate those vulnerabilities. In our next blog we will discuss further the risk assessment requirement and what it entails.
Why is a HIPAA risk assessment such a big deal?
As a professional in the healthcare field, you obviously are very familiar with HIPAA, that ever-present reminder that data security is an issue that is always running in the background behind every activity that takes place in a medical professional's workplace––as well as almost every supporting business that works with them. Everyone who works with personal health information (PHI) is aware that they are responsible for keeping that data secure.
HIPAA is a few decades old, so the revelation that regulations exist to cover data security is not exactly news. However, what may not be as clear to many who are covered by this law, is that they are not just responsible for just avoiding a breach, they are responsible for showing that they have actively assessed the risks of a data breach and have taken precautions to eliminate or at least mitigate that risk. In other words, an organization can be fined for failing to do their due diligence and do as much as possible to recognize where a data breach could occur. That is, they could be fined even if no data has been breached, but they have allowed a situation to develop which creates vulnerability.
The process of determining all of your possible vulnerabilities in terms of data security is known as a risk assessment. HIPAA requires that organizations do a thorough risk assessment to protect their data. Simply put, a HIPAA risk assessment should determine that your organization is in compliance with all of the privacy, security and breach notification requirements of HIPAA. This can be achieved via the risk assessment process, the goal of which is to identify all of potential areas of vulnerability.
Given that so much data is now stored electronically, the risk of a data breach is considerably higher, and security is far more complex. It needs to be noted that ignorance of any particular part of HIPAA regulations is not an excuse for non-compliance. Most importantly, failure to do a risk assessment, or to have conducted an adequate risk assessment that failed to identify specific vulnerabilities is, in and of itself, a fineable offense. Failure to identify a potential risk does not have to be wilful to be subject to penalties
Who must do a Risk Assessment? HIPAA reaches far beyond health-related organizations
For those who think adhering to HIPAA security regulations is just about putting together a set of guidelines for handling PHI and keeping it secure, they have another thing coming. Just making sure a data breach doesn't happen does not keep you in compliance with HIPAA regulations. HIPAA also requires that an organization conduct a thorough and complete risk assessment to determine what actions need to be taken to keep its data secure. And it isn't just healthcare providers and medical organizations that are touched by this risk assessment requirement.
The reach of the HIPAA risk assessment requirement has been expanded and now covers almost any entity that touches PHI. In HIPAA jargon, both Covered Entities and Business Associates are now required to conduct a risk assessment. Covered Entities (CE) were the focus of the original 1996 law. These are entities that in the normal conduct of business, create, maintain, directly access, and/or transmit PHI and ePHI. Examples of these entities are healthcare providers, clearinghouses, insurance plans, and employers who self-insure. Since then, updates to the law have expanded its regulatory coverage area to include Business Associates (BA). BAs are those entities which come into contact with PHI through that entity's association with a CE. This expansion to BAs consequently pulls in a wide swath of possible organizations previously uncovered. Examples could be law firms and accounting firms who provide service to a CE. Other examples might include IT contractors, managed service providers, billing firms, data storage centers, video and audio conferencing services, and even email servers. No matter how oblique their contact with PHI, even if it is just in the aggregate, BAs are now required, under the HITECH Act to conduct a HIPAA risk assessment, and are also subject to penalties.
In short, this quick summary should make it clear that a thorough and supportable HIPAA risk assessment is a complex and involved process, even for a BA with minimal data contact. With the dominance of digitally stored, maintained and transmitted data, this risk assessment should only be handled by a thoroughly experienced data professional. Organizations that wish to avoid penalties as a result of an audit should contact a professional IT service provider with experience in the field of healthcare data security and the specifics of a HIPAA risk assessment