The first day at a new job should be the exciting start of a new chapter in your career. For one lab tech at a Maine hospital, her first day was a shocking introduction to a hostile environment.
She discovered that her coworkers were mocking their disabled patients by posting their private medical information on a wall in the office. Instead of correcting the situation, the hospital allowed these employees to continue. Eventually, they even accessed the medical records of the lab tech who reported their behavior.
This blatant misuse of patient records brought in a flood of bad press for the hospital and left the institution vulnerable to an expensive lawsuit. These employees ignored HIPAA’s basic principle: Protected health information (PHI) must be kept secure.
Does your business deal with PHI? This article will discuss what PHI is, which businesses handle it, and how you can protect it.
What is PHI?
Protected health information is data that identifies a patient and is shared or disclosed during medical care. PHI includes a patient’s medical diagnosis, treatment plan, insurance information, Social Security number, address, name, and demographic information, such as gender.
All information that identifies the patient is protected. Even information that seems unrelated to healthcare, such as financial account information about medical services, can be PHI.
There are 18 factors that make PHI identifiable. Treat data as PHI if it includes any of these factors:
- Name, whether it’s the full name, last name, or initials
- Geographical identifiers more specific than a state
- Dates, other than years, related to the person
- Phone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health insurance beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers, such as the make and model
- Device identifiers and serial numbers
- IP address numbers
- Biometric identifiers such as fingerprint, retinal, and voiceprints
- Full face photographic images
- Any unique identifying number, characteristic, or code given to the patient (except the code assigned to code the data)
Data is PHI until it has been stripped of all 18 identifying markers. After that, it isn’t governed by HIPAA.
Now that we know what PHI is, we need to know who should worry about it. What organizations deal with PHI?
What organizations store or transmit PHI?
You may be concerned that you’ve been handling PHI after reading that list. After all, banks and employers deal with financial information that’s often classified as PHI. Has your business been collecting PHI without knowing it?
Probably not. A business can store the same information as a healthcare provider without it being PHI. That’s because there are two markers that establish data as PHI. The information has to be personally identifiable, and it has to be used in a healthcare setting. If your company isn’t a HIPAA-covered entity or a business associate of one, you’re not dealing with PHI.
A HIPAA-covered entity includes healthcare providers, health plans, and healthcare clearinghouses. Everything from orthodontists to hospitals to doctors are covered by HIPAA. These institutions routinely handle PHI, so they know they have to follow strict regulations to protect it.
A business associate is any third party that uses PHI to perform a service for a HIPAA-regulated entity. Companies performing services such as medical billing, staffing services, or data security must have a business associate agreement with the regulated HIPAA entity.
While business associates don’t use PHI as much as covered entities, they still need to ensure their data is safe. Third parties account for more than 20 percent of healthcare breaches. Business associates need to put safeguards in place to protect PHI.
Following HIPAA regulations isn’t easy when you’re dealing with the day-to-day demands of your business. Let’s explore some simple ways you can keep the PHI in your possession secure.
How can you protect your PHI?
Organizations with custody of PHI must protect their clients from identity theft and fraud while keeping their business running smoothly. Here are some standard procedures for protecting data without complicating your company’s processes:
- HIPAA compliance starts with data collection. You can collect PHI online with JotForm’s HIPAA-compliant forms.
- Limit who has access to health information. Only the patient and those who need the information to do their job should access PHI.
- Train your employees on HIPAA compliance. Your workers will be dealing with PHI every day. They need to know what they can and can’t do with it.
- Establish policies and procedures for dealing with PHI. Review your company’s policies regularly to ensure you’re still HIPAA compliant.
- Encrypt online communications that include PHI. Give patients an access code so only they can access the PHI you send to them.
- Dispose of PHI properly. Paper documents can be shredded, while online records must be deleted.
Complying with HIPAA regulations is essential for protecting the reputation of your business and avoiding tough fines and the loss of client confidence. Taking compliance seriously will keep your business out of legal trouble and in good standing with your clients.