A Guide to HIPAA and PHI

True Story

During a hospital overnight, I was resting in my hospital bed where nurses passed by, performing their regularly-scheduled duties. A piece of paper accidentally fell from a nurse’s pocket. I picked it up. On it was the name and all the vitals of a 79-year-old woman in 115B who had pneumonia. The Health Insurance Portability and Accountability Act (HIPAA) was implemented to safeguard the Protected Health Information (PHI) of patients like that woman and to protect the integrity of members of the healthcare system. Although harmless in my hands, some of the information on that hand-scratched paper was PHI.

HIPAA

In 1996, HIPAA was enacted to oversee the use of, access to, and disclosure of PHI, which is defined as the health data of an individual from the past, present, or future, including the provision of healthcare and payment for healthcare. HIPAA was designed to regulate how this data is created, collected, transmitted, and stored by all HIPAA-covered entities.

PHI

PHI is any personal health information that was created, used, or disclosed while providing a diagnosis or treatment for an individual. This health information includes:

• Demographic information
• Medical history
• Test and laboratory results
• Mental health conditions
• Insurance information
• Any other data collected for identity or to determine appropriate care

PHI Identifiers

Specific PHI identifiers include names, addresses, dates, phone numbers, email addresses, social security numbers, health plan beneficiary numbers, account, certificate and license numbers, vehicle identifiers, URLs, internet protocol (IP) addresses, biometric IDs, photographs, and other unique identifying characteristics.

PHI as a Commodity

Healthcare information is valuable to thieves for various reasons, including using it to receive medical care, purchase prescription drugs, and commit blackmail. Hackers sell information for profit on the black market and dark web to buyers who use it to create fake IDs, purchase medical equipment, file false insurance claims, take out loans, or set up a line of credit, all of which could lead to incurred debt for an unsuspecting patient.

HIPAA Compliance

The cost of non-compliance is financially and legally expensive. Becoming compliant is an in-depth process and is strengthened by implementing these important steps:

• Create privacy and security policies for the organization
• Name a HIPAA privacy officer and security officer
• Implement security safeguards
• Regularly conduct risk assessments and self-audits
• Maintain business associate agreements
• Establish a breach notification protocol

Records Management Center in Augusta, GA understands HIPAA compliance and offers secure record management and document shredding to safeguard your PHI. We can make being HIPAA compliant more manageable. Just call us at 706-724-7982 or take a minute to complete the form on this page and let us know how we can help you.