Cyberattacks targeting healthcare organizations are on the rise, and the consequences are significant. From regulatory penalties to reputation damage and, most importantly, risks to patient safety, a breach of patients’ sensitive healthcare information can be devastating. That’s why the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to follow many requirements for protecting patient data classified as protected health information (PHI).
HIPAA requires that PHI remain confidential at all times. This means providers like hospital systems, community clinics, and private practices, and have to follow a litany of HIPAA rules to protect this data, although healthcare cybersecurity is complex. In this article, you’ll learn what PHI is, why it needs protection, and how providers and healthcare organizations can better protect it.
What Is PHI?
PHI is any data created, received, or stored by HIPAA covered entities and business associates that either:
- Can be used to identify an individual (such as a Social Security number, name, or date of birth)
- Is tied to the identity of an individual (such as a name accompanying lab results)
This data can include information regarding diagnoses, the past, present, or future treatment of a patient for either their physical or mental health, and payment for healthcare services.
In its digital form, PHI is called electronic protected health information (ePHI), which is becoming more common. However, PHI can also include printed information and even information shared verbally.
Examples of PHI
But what, exactly, qualifies as PHI? HIPAA says providers need to follow specific safeguards for any data that fit into these categories:
- Geography (more detailed than a state, such as city, street name, etc.)
- Identifying dates other than a year (admission date, discharge date, etc.)
- Phone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Vehicle license number or serial number
- Medical device identifier or serial number
- URLs (website links)
- IP addresses
- Biometrics, like fingerprints
- Full facial photographs
- Any other unique identifying characteristic
PHI is everywhere. In its digital form (ePHI), it’s in computers, flash drives, smartphones, tablets, emails, PDFs, and more. It’s even in prescriptions, calendar appointments, MRIs, and X-rays. PHI also includes credit card numbers, demographic information, test results, and insurance information.
Even things that don’t seem like PHI might count as PHI, depending on the circumstances. Since HIPAA fines range from $100 to more than $50,000 per violation, it’s best to err on the side of caution.
What Doesn’t Count as PHI?
However, not all patient data counts as PHI. There are certain situations where PHI disclosure rules won’t apply, including:
- Data for a patient that has been deceased for at least 50 years.
- Student health data stored by a university or public school (this data is subject to more stringent standards than HIPAA).
- Health-related information stored by employers about their employees.
- De-identified PHI. If providers remove all identifiers from the data, it’s no longer considered PHI and can be shared.
- Data stored in health apps that patients use to record their health and fitness goals, like a digital pedometer.
Why Providers Must Protect PHI
Substantial HIPAA fines are a concern, but they’re not the most important reason healthcare organizations need to protect PHI through investments in cybersecurity and physical safeguards. Not only is it the right thing to do out of respect for patient privacy, but PHI breaches can pose serious risks to patient safety through improper treatment, inaccurate diagnoses, and delays in the provision of care.
The challenge is that attackers desperately want healthcare data. In fact, healthcare records are worth more than any other records on the black market, selling for $250 to $1,000 or more per record. Meanwhile, credit card numbers sell for about $5 each and Social Security numbers for $1 each.
Attackers also know that healthcare organizations face challenges in securing patient PHI, especially on Internet of Things (IoT) devices, which store and transmit data in the cloud. Plus, this isn’t like a stolen credit card number. Patients can’t change their address, Social Security number, or name every time an attacker steals their information. If their data is out there, it’s there forever — and that’s why healthcare providers need to take PHI protections so seriously.
As a healthcare provider, you’re required to protect PHI at every stage. At a minimum, your business needs to follow HIPAA’s administrative, physical, and technical safeguards for PHI.
If you rely on vendors to process patient information, HIPAA also requires you to sign business associate agreements (BAAs) with those vendors. These third-party vendors include:
- IT vendors
- Cloud storage companies
- Data processing vendors
- Medical transcriptionists
- Third-party HR companies
BAAs define who is accountable for protecting PHI. Ultimately, the hospital or health system is responsible for ensuring PHI protection, making it crucial for healthcare organizations to audit their third-party vendors to ensure they have the appropriate safeguards in place.
Get Better PHI Visibility with Situational PHI Awareness
HIPAA created the concept of PHI in the 1990s, but a lot has changed in the decades since. Because of the immense amount of data generated, received, stored, and sent by healthcare providers, it’s more challenging than ever to identify and protect PHI.
You can only protect PHI if you know it exists. Tausight’s Situational ePHI Awareness solution detects PHI across all endpoints in your healthcare ecosystem and analyzes PHI activity and risk to continuously evaluate your organization’s cyber preparedness. Contact Tausight today to learn how you can gain a comprehensive, real-time view of PHI through the entire healthcare continuum.