Understanding the Health Insurance Portability and Accountability Act (HIPAA) isn’t just a core requirement for ensuring compliance, but a crucial business imperative. This is particularly important when businesses handle Protected Health Information (PHI).
Securing PHI, as outlined under HIPAA, requires more than just surface-level scanning, especially when organizations lack visibility of where their data resides or whom it is shared with. The fundamental understanding organization needs is to understand what counts as PHI, which shows up in more places than many organizations realize.
This guide breaks down what counts as PHI under HIPAA, the 18 identifiers that make health data “identifiable,” what changes after de-identification, and a compliance checklist for best practices organizations should follow to store, share, and manage PHI responsibly.
Understanding PHI Under HIPAA
HIPAA defines Health Information as any information, oral or recorded, created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and relating to an individual's past, present, or future physical or mental health or condition, health care provision, or payment for health care.
On the other hand, HIPAA’s Privacy Rule explicitly details Individually Identifiable Health Information, also known as Protected Health Information (PHI). PHI refers to any information about a person’s health, care, or healthcare payments created or handled by covered entities that identifies the individual or could reasonably be used to identify them.
An individual who knowingly discloses individually identifiable health information/PHI can incur hefty monetary penalties as well as imprisonment. This can occur when the individual leverages a unique health identifier, acquires PHI about an individual, or shares PHI with another individual. In such a scenario, the individual can face fines up to $250,000 and 10 years imprisonment, or both.
In short, any healthcare records, services, or billing details pertaining to the patient constitute sensitive patient information and must be protected to ensure HIPAA PHI compliance.
HIPAA PHI: The 18 Identifiers You Must Protect
HIPAA is geared toward protecting sensitive personal health data and empowering patients with rights over their health data. Under HIPAA, any information pertaining to an individual becomes PHI when it includes specific data elements that can identify an individual.
These data elements, commonly referred to as identifiers, are outlined in the HIPAA Privacy Rule. If an organization finds itself collecting, processing, storing, or sharing any of these 18 identifiers, it will be subject to the HIPAA regulations. These 18 identifiers include:
- Names
- Address (geographic subdivisions smaller than a state, including street address, city, county, precinct, and ZIP code)
- Dates relating to an individual, including birth, admission, discharge, and death dates
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URLs
- Internet Protocol (IP) addresses
- Biometric identifiers, including fingerprints and voice prints
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
These identifiers alone can trigger HIPAA protection, especially when they are coupled with healthcare data, treatment plans and services, and billing information.
What Happens to PHI After De-identification?
Data can be accumulated from multiple sources, and some of it may not be directly related or fall under the protected standard. In an event where PHI is de-identified, meaning the likelihood of personal identifiers such as names, addresses, phone numbers, and other identifiers has been ruled out, as per HIPAA standards, that particular information is no longer subject to HIPAA regulations.
De-identified health information is unrestricted and can be freely used, processed, stored, shared, or sold for multiple purposes that the organization deems fit without the patient’s consent. This is because the de-identified health information cannot help identify an individual.
The HIPAA Privacy Rule specifies two ways to de-identify health information. These include:
a. Expert Determination Method
A qualified expert applies statistical or scientific principles to determine that the risk of re-identification is very small.
b. Safe Harbor Method
All 18 HIPAA identifiers are removed, and the organization has no knowledge of how the remaining data could identify an individual.
How PHI Is Handled and Managed Under HIPAA
No matter what stage of the data lifecycle PHI is in, it must be handled with care, securely guarded, and protected from unauthorized access or inadvertent exposure. HIPAA establishes detailed guidelines on how covered entities and business associates must manage PHI to protect patient privacy from the moment data is obtained, processed, stored, shared, or eventually destroyed.
Core principles of handling and managing PHI under HIPAA include:
a. Minimum Necessary Rule
Covered entities should only collect the minimum amount of information necessary to provide the services. The data must only be utilized for the intended purpose.
b. Permitted Uses and Disclosures
Without obtaining consent from the patient, Treatment, Payment, and Healthcare Operations can use or disclose PHI.
c. Access Controls
Access controls should be implemented for PHI, which should only be accessed by authorized individuals who absolutely need the PHI to conduct their job obligations. This includes role-based access, multi-factor authentication, etc.
d. Security Safeguards
Organizations must establish administrative, physical, and technical protections to secure PHI. This comprises policies and training, secure data storage, and technical measures, including data encryption at rest and in transit, risk assessments, and maintaining audit logs.
e. Retention and Disposal
When PHI is being utilized, it must be retained according to HIPAA-approved guidelines and industry best practices. Once PHI serves its purpose and is no longer required, it should be securely disposed of, such as by permanently deleting electronic data or shredding paper records.
HIPAA Compliance Checklist for Protecting PHI
A HIPAA Compliance Checklist ensures organizations are properly protecting PHI and complying with HIPAA standards and notable regulatory requirements.
a. Governance and Policies
- Designate a privacy and security officer in charge of overseeing compliance with HIPAA requirements
- Update organization-wide policies to accommodate the HIPAA Security and Privacy Rule standards and regularly update policies to reflect evolving regulatory changes
b. Risk Assessment and Management
- Conduct regular assessments such as vulnerability assessments, risk assessments, penetration testing, and compliance audits to identify and remediate potential threats to PHI
- Continuously monitor systems and processes for new or emerging vulnerabilities
c. Access Controls
- Establish role-based access controls to limit access to PHI and introduce multi-factor authentication as an additional layer of security before access is granted
- Maintain a comprehensive list of access privileges and regularly review access entitlements to ensure that the right people have been given access to PHI; revoke access where necessary
d. Use and Disclosure of PHI
- Ensure the absolute minimum data is obtained necessary for operational requirements, and PHI is consciously processed, stored, or shared only for permitted purposes
- As a best practice, industry standard, and in compliance with regulatory requirements, obtain the patient’s consent when making decisions about their health data
Here’s more on the checklist as identified by the HHS Office for Civil Rights as essential elements of an effective HIPAA compliance program.
Automate Compliance with Securiti DSPM
As regulatory pressure increases and data environments grow more complex, organizations can no longer rely on manual methods to ensure compliance. DSPM offers a proactive, automated, and scalable solution to maintaining a continuous data security and privacy posture, not just for HIPAA, but for any current or future regulation.
Securiti's Data Command Center (rated #1 DSPM by GigaOM) provides a built-in DSPM solution, enabling organizations to secure sensitive data across multiple public clouds, private clouds, data lakes and warehouses, and SaaS applications, protecting both data at rest and in motion.
With Securiti, organizations can leverage contextual data intelligence and controls to discover and classify data, minimize ROT (Redundant, Obsolete, and Trivial) data risk, reduce misconfiguration vulnerabilities, prevent unauthorized data access, understand data flow, and enforce consistent security controls across the data journey, including real-time streaming data, while also managing compliance and breach risk.
Schedule a demo to learn more.
