Data Liability: Understanding Your PHI Responsibility

Featured article by LuxSci founder Erik Kangas

Traditionally, information regarding health is closely guarded, available only to the immediate healthcare providers and patients involved. However, as electronic records become normal, and people allow health applications to track their fitness and everyday activities, the lines demarking what is Protected Health Information (PHI) and what isn’t are blurring. Essential, commonplace items like smartphones and office computers are playing a role in the unauthorized loss or disclosure of patients’ sensitive medical data. It’s important to make sure you and your practice are not at risk.

What Patient Data Is “Protected”?

First things first: What patient health data should you protect? In short, nearly all of it. Protected Health Information (PHI) is the combination of two distinct pieces of information: (a) health information and (b) something that ties it to a specific person, making it “identifiable.” In isolation, either one is safe to share. For example, the name “John Doe” is not PHI and “here are the results of someone’s AIDs test – the test is positive” is also not PHI. However, put together, you have PHI. In this case, you know specifically John Doe’s test results are positive.

Health Information refers to anything regarding a past, present, or future physical or mental health condition; the past, present, or future provision of health care; and the past, present, or future payment-related information for healthcare. This is quite a broad range of information that spans everything from an upcoming dentist appointment to lab results to how much your therapist proposes to charge next year.

What makes health information identifiable? There are 17 different types of identifiers that, when combined with health information, produce PHI: data you must fiercely guard.

These 17 identifiers include:

• * Patient names
• * Social security numbers
• * Dates (excluding the year)
• * Medical record numbers
• * Phone numbers/fax numbers
• * Email addresses
• * Geographic locators that are more local than the state (so county, city, and street address are included). Note: Just the first three digits of a ZIP code are not an identifier since they include such a large   group of people.
• * Health insurance beneficiary identifiers
• * IP (Internet Protocol) addresses
• * URLs
• * Vehicle information like license plate numbers
• * Device serial numbers
• * Other account numbers like credit cards and bank accounts
• * Photos that identify the person like full body and facial shots
• * Biometrics like retinal, voice, and fingerprints
• * Certificate/license numbers
• * Any other unique codes

As you can see, this list is about as comprehensive as you can get, especially with that last one thrown in! This means that healthcare and health data providers have a big responsibility when it comes to keeping their patients’ information safe.

Where Can PHI Be Found?

Your patients’ medical charts are not the only place to find confidential information. Protected health information is in some unexpected places, leaving patient privacy vulnerable and your business susceptible to breach. Here’s a short list of the places you should triple-check to ensure you properly safeguard PHI:

• * Emails (both inbound and outbound messages)
• * Text messages
• * File-sharing cloud sites (think of Google Drive and Dropbox)
• * Fax machines
• * Copy machines
• * Printers/scanners
• * Cell phones, specifically mobile devices like smartphones and laptops
• * File cabinets (Make sure they’re locked.)
• * File storage rooms (Also ensure you secure these spaces and that only certified personnel can access them.)
• * USB devices or older floppy disks and CDs
• * Prescription pads
• * On your website, especially if an outside firm runs it (Patient photos could be an issue here, even outdoor shots of your office if there are vehicles or people in the photos.)
• * Website forms (Are you collecting PHI from your website visitors?)
• * Hard drives
• * Small and large files stored on servers located in your office or in an off-site location
• * Desktop computers
• * Front desk/lobby areas

What Is the Severity of Compromised PHI?

Ethically, all companies that handle sensitive PHI should hold that data in the highest regard. It’s a basic tenet of working with patients that you protect their private information. From a legal standpoint, there are also some ramifications for compromised data. In January 2013, the U.S. Department of Health and Human Services updated its HIPAA reporting law to require companies to report PHI breaches, no matter how they happen, immediately. You can view a full description of what to report, and when, by visiting the HIPAA reporting rules, but it’s important to fully understand your responsibility should your patients’ PHI ever become compromised.

When there’s a potential HIPAA law violation, the Office of Civil Rights will investigate it. Depending on the findings, a practice or company can receive a fine from $100 to $50,000 per violation (that is, per datum breached), and the government can file criminal charges in severe cases of willful neglect of the law. It’s worth your time, and it’s a requirement of HIPAA, to ensure that you properly protect all PHI in your possession, both to safeguard the privacy of your patients and to keep your business out of liability’s way when it comes to civil and criminal ramifications.

Erik Kangas , founder of LuxSci, has an impressive mix of academic research and software architecture expertise, including: undergraduate degree from Case Western Reserve University in physics and mathematics, PhD from MIT in computational biophysics, senior software engineer at Akamai Technologies, and visiting professor in physics at MIT. Chief architect and developer at LuxSci since 1999, Erik focuses on elegant, efficient, and robust solutions for scalable email and web hosting services, with a primary focus on Internet security. Lecturing nationally and internationally, Erik also serves as technical advisor to Mediprocity, which specializes in mobile-centric, secure HIPAA-compliant messaging. When he takes a break from LuxSci, Erik can be found gleefully pursuing endurance sports, having completed a full Ironman triathlon and numerous marathons and half Ironman triathlons.