In March 2020, a medical practice in Utah paid out a $100,000 settlement for a HIPAA violation. The Office of Civil Rights (OCR) found that the practice didn’t conduct a risk analysis report after a breach from one of the practice’s business associates.
By failing to create a report, the practice jeopardized patients’ personally identifiable information and got penalized in the process. Many organizations can’t afford the hit to their savings and reputation that a HIPAA violation brings. How can they protect themselves?
Federal law requires HIPAA-covered entities to protect their patients’ personally identifiable information. However, it can be tough to tell what counts as PII and what doesn’t. Let’s look into what personally identifiable information is and what it isn’t.
What is personally identifiable information?
PII consists of any information that can be used to identify, contact, or locate a patient. While it’s similar to protected health information (PHI), PII is specifically focused on whether the data can be used to identify someone.
Because PII is any data that is identifiable, certain information can count as PII in some situations and not in others. For instance, a patient’s first name may not be considered PII if they live in a large city. However, if they live in an extremely small town, then it’s likely PII.
Even if one particular piece of information isn’t enough to identify a patient on its own, combining it with another piece of data can make it PII. For example, although a patient’s first name may not be considered PII, adding their zip code may make it identifiable.
It doesn’t matter if the information is on paper or in electronic form. As long as it can identify someone, it could be PII. So what factors make data identifiable?
What makes information identifiable under HIPAA?
Personally identifiable information includes a person’s
- Full name
- Maiden name or mother’s maiden name
- Date of birth
- Street address
- Telephone number
- Fax number
- Email address
- Social security number
- Passport number
- Taxpayer identification number
- Driver’s license number
- Financial records or information
- Account numbers
- Credit card or debit card numbers
- Medical records
- Personal property records
- Vehicle registration and title
- License plate number
- Internet protocol (IP) addresses
- Full face photos
- Biometric identifiers, such as fingerprints or voiceprints
- Employment records
- Educational records
Just one of the above can make information identifiable. Facts such as place of birth, place of death, first name, last name, first initial, and zip code can be PII if two or more are present.
While PII has to be protected and kept secure, data like health records and test results can be vital for researchers and medical professionals. Is this information always considered PII? Or can PII be altered for use as research data?
How can PII be de-identified?
Medical records can be a rich source of data for studies, research, or statistical purposes. However, the personal information in those records makes using it for research illegal. Thankfully, you can de-identify PII.
By taking out or encrypting all personally identifiable information, the medical information left can be used for studies. For example, a record that states Jane Doe from New York had a successful appendectomy could be changed to Patient A had a successful appendectomy.
The challenge involved in de-identifying PII is making sure that the information is not easily re-identifiable. To help prevent re-identification, you need to analyze how risky it is to use certain records and assign specific employees to de-identify the data.
If the information has been stripped of all identifiable factors, then it’s no longer PII. By understanding what PII is and what it isn’t, your organization will be able to protect individuals’ personal data and prevent expensive lawsuits.
Knowing what PII is will help you keep it safe
One medical practice was fined for not taking the proper precautions to protect PII. Instead of leaving your organization open to lawsuits, learning what PII is will help you know what you need to protect and what you don’t. So how do you protect the PII in your care?
One way to keep your data safe is by using HIPAA-compliant online forms. At JotForm, we offer secure, HIPAA-compliant online forms. Whether your patients are getting care exclusively online or just want to save time by filling out forms online, our forms will keep your PII protected. Find out what makes us a leader in HIPAA-compliant forms.