Table of Contents
In this article, we will discuss the types of protected health information, peep into the HIPAA requirements, and revise how to keep sensitive data secure.
People are often curious, what does electronic protected health information mean? To put it simply, all the collected details about a patient so that he can be easily identified plus the necessary info for prescribing him/her a relevant treatment. Apart from the medical histories, statistics, laboratory tests results, mental health conditions, PHI includes some financial information like bills, payments, insurance details, etc. In other words, it is any health-connected data together with a unique individual.
The very concept comes from the USA’s primary legal source of 1996 – The Health Insurance Portability and Accountability Act. This law supervises the activities connected to the use of PHI.
The law defines confidential protected health information as the healthcare delivery to a patient and the payment for that. HIPAA keeps a good eye on the way this information is generated, collected, transferred, and stored by HIPAA-covered organizations.
Sensitive details about patients are what the healthcare industry constantly deals with. Names, addresses, date of birth, email, telephone numbers, full-face photos, insurance, medical conditions, etc. Whether it is a digital record or a paper document, PHI reveals a patient’s medical history as well as its results.
As a federal law HIPAA applies to everybody, so compromising anyone’s Protected Health Information is always illegal and unacceptable. All of us are free to have private health information kept confidentially safe.
Managing PHI and a company’s HIPAA compliance is in no way easy. It is actually a truly involved task as every part from the Privacy and Security Rules demands detailed reporting and the utmost control in their regulatory requirements.
Electronic protected health information (ePHI)
Electronic protected health information (ePHI) is any PHI that is generated, maintained, processed, transferred, or received via digital devices. According to the HIPAA Security Rule, and its specific guidelines dictating the means involved in evaluating ePHI, the data may be stored in PCs, internal and external hard drives, USB drives, CDs, DVDs, SD cards, Smartphones, etc. The data may be transferred via wi-fi, Internet, modem, DSL, Email, or file transfer services.
Nearly all HIPAA rules and regulations turn around PHI and its safeguarding. Hence, having the culture of managing PHI is crucial for achieving HIPAA compliance.
Some important data elements that are often overlooked, for example, payments, IP address of a device, retina scans, fingerprints, diagnostic codes, dates of visits, etc.
It is worth noting that confidential protected health information also includes information that is not present-day. For instance, an old address or a phone can be the means of identifying a person. That is why the concept of Protected Health Information lies somewhere between an identifier and health data.
Interacting with Protected Health Information
Regardless of the type – electronic (ePHI), written, and verbal – the Protected Health Information’s privacy standards are the same. Everyone whose job is connected to PHI has to be aware of how to protect it because even a tiny miscue may lead to a data breach.
Sticking to the minimum necessary standard is a very important rule here when managing Protected Health Information. It means using an as little amount of PHI needed to fulfill your task as possible. Keeping the information you access to yourself, avoiding mentioning it to anyone, even the closest colleagues, is great and noble professional behavior. Whether you belong to IT staff, health plan admins, HR representatives, accounts payable, or business owners, the responsibility and prudence when dealing with this sensitive information is equally high. In case of noticing Protected Health Information revealed in your department, it is better to inform your security officer immediately.
Talking about HIPAA compliance…
Each one of the covered entities together with health care providers has no choice but to be HIPAA compliant. That is organizations that grant their workers and staff members with health insurance plans. Moreover, their Business Associates like lawyers, paper shredding services, accountants, and IT vendors also must prove HIPAA compliance and secure Protected Health Information. This comprises employees’ education and practice, signing a Risk Assessment, and having customer Security and Privacy Policies and Procedures documentation.
On account of working with any third-party providers, there is a Business Associate or Business Associate Subcontractor Agreement to be signed. The documents will protect you if any of them causes a protected data breach. Otherwise, very unluckily, their mistake becomes your obligation, and you may be involved in a legal mess.
Find out how we developed the Medical Social Web App, while taking into account HIPAA compliance, more about this in our client’s case below.
Medical Social Web App
This solution had to be created from scratch, It was important for us to create a solution that fully meets the needs of our clients and the specifics of the healthcare industry. So we were able to make an easily scalable, reliable, secure, and HIPAA compliant solution that meets all industry standards. The end project consists of web and mobile apps powered by an AI system that help to find a specific treatment strategy based on other users’ input, backed by additional medical or non-medical staff, that will help users to achieve their goals.
Consequences for HIPAA violation
There are penalties both for employees and employers who violate HIPAA law. Businesses can be sued by the Office of Civil Rights. The fines people might face are hefty, they range from $100 – 250,000 or up to ten years of imprisonment.
Prior to serious penalties, it is demanded by HIPAA that all companies contacting with PHI should have sanction policies set up. Depending on how bad the violation is, sanctions are performed in the form of suspension without pay, letters of reprimand, and/or quitting the place of work.
Sharing Private Health Information with Dearest People
Although medical professionals are required to guarantee the privacy of the data they are dealing with, it is possible to share the PHI with relatives and friends. If you agree, of course. In some cases it is inevitable. For example, you can ask your sister to pick up your test results and go to the chemists with the prescription from your doctor. Or your physician may discuss your conditions, treatment, and bills in your husband’s presence. Yet, it is fine to object to discussing your current state with someone you do not want to know.
Some advice on how to protect health information
It is impossible to be too cautious when we deal with managing Protected Health Information. A clean desk policy habit will guarantee your work data is safe in good hands.
First of all, your computer must always be locked when you leave, no matter if you are away for a 15 minutes coffee break or a weekend trip out of the city. Storing files in a safe place like a locked filing cabinet when they are not currently used is also crucially important.
Above all, you should put your company’s policies and procedures, and follow them blindly, even if it means putting in the extra effort. They work only if each member of the staff obeys the rules, so do your best in your company’s data breach prevention by studying and understanding these procedures.
Sensitive data and health apps
You must be wondering, is there a guarantee that the health app you are using follows HIPAA rules? Because they naturally collect a lot of sensitive data that has to be protected. The answer is no, not always. That is why it is quite chaotical around PHI and health apps. Health apps, for instance, can record how much you weigh and your daily physical activities with location, diet, and other identifiers. Yet, the data in health or fitness apps is rarely protected by HIPAA standards, even the one recommended by a doctor.
All in all, respecting and acting in accordance with HIPAA rules about Protected Health Information management saves your business reputation and helps to avoid potential penalties.
We, here at ZenBit, understand so well how important dealing with protected health information and being HIPAA-compliant is. It is a challenging top priority for every PHI-related business, and we have the skills and knowledge to support you in this. Your good name and perfect client service are above all. ZenBit developers provide strategic advice and decision-making support on emerging technologies for your business’s steady growth. We provide connections, insight, and competitive power to our clients. Our study approach focuses on both primary research and our large-scale global network. Contact us today for more information!