PHI and You: The Basics You Need to Know
PHI and You: The Basics You Need to Know
Protected health information (PHI) is a term often heard in the healthcare industry in relation to HIPAA laws, but what does it mean exactly? PHI, including electronic protected health information (ePHI), refers to individually identifiable information relating to the health status of an individual. The protection of information that could reveal the identity of an individual, their medical history, or their payment history is vital. There are 18 different personal identifiers that, when included with patient health information, designate that information as "protected."
- Geographical identifiers
- Dates directly related to an individual
- Phone numbers
- Fax Numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Vehicle license plate numbers
- Certificate or license numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Fingerprints, retinal and voice prints
- Full face or any comparable photographic images
- Any other unique identifying characteristic
Why is PHI protected and what does that mean for you?
PHI is designated as "protected" in order to safeguard the privacy of individuals. Due to the required and addressable safeguards of HIPAA, patient information must be treated sensitively. These requirements mean that is the responsibility of the employer to create policies and procedures in order to maintain the integrity of PHI, provide compliance training sessions, and make sure the policies and procedures are easily accessible to all employees. What reasonable and appropriate safeguards does your organization have in place in order to protect PHI?
Who is Covered by HIPAA?
HIPAA Covered Entities (CEs) under the Act, such as health plans, healthcare clearinghouses, and healthcare providers, are responsible for safeguarding PHI and ePHI. HIPAA also covers business associates (BAs) and other vendors. Because BAs (or vendors) are contracted with CEs to provide services and activities that may allow them access to PHI, they are bound by the same requirements to safeguard and protect patient health information. In these situations, if a CE has a business associate agreement (BAA) with a BA or a vendor, they are allowed to disclose patient health information for the purpose of Treatment, Payment, and Healthcare operations (TPO).
There are several different situations where a CE may disclose PHI under HIPAA. They include incidental uses and disclosures, disclosures between CEs, and communicating with patients. While a CE is allowed to disclose PHI in each of these situations, there are guidelines and requirements in each situation to comply with HIPAA standards.
Incidental uses and disclosures are "a secondary disclosure that cannot be reasonably prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule" (HHS.gov). Let's look at several examples of incidental uses and disclosures:
- Sign-in Sheets – Sign-in sheets are permitted under HIPAA as long as they appropriately limit the amount of information required to minimum necessary. They can only include the doctor's name, patient's name, appointment time, and the patient's time of arrival for the appointment. For example, a sign in sheet doesn't need to have the reason for the visit listed, but the patient's name and doctor's name would be allowed.
- Patient Check-in – HIPAA permits oral disclosures while checking-in a patient in the same way that it permits disclosures on a sign-in sheet. However, the information disclosed must be appropriately limited. For example, when checking-in a patient, you may ask their name and what doctor they are there to see. While doing so, it is important to speak quietly and be aware of those around you.
- Confidential Conversations with Other Providers or Patients – To ensure reasonable safeguards for patient health information, providers need to be mindful of their surroundings when discussing PHI. For example, if a provider needs to review patient history with a nurse, it should be done in a private office or by speaking quietly if a private location is not available. Providers should not mention patient names, if possible. Another way to safeguard patient information is by talking quietly while discussing a patient's condition with family in a waiting room.
Disclosures between CEs, such as a provider disclosing patient treatment information to another physician or hospital for additional treatment, is permissible. For this type of disclosure the minimum necessary standards does not apply; however, the provider may choose to disclose the minimum necessary information for any disclosures to which the standard applies. Additionally, CEs are permitted to communicate with patients about their care including information that is classified as PHI. Patients can also give consent for CEs to release PHI to family members or friends, or other individuals involved in their care or the payment of their care.
Communications between CEs and other providers or CEs and patients can be made in several ways as long as reasonable safeguards are applied. Everyday methods of communication include mail, facsimile (fax), email, or phone. Let's review some common reasonable safeguards for each mode of communication:
- Mail (such as the US Postal Service) – It is important to consider the confidentiality and security of the information being sent by mail. Using envelopes with security lining, marking the envelopes as "confidential," and verifying the envelope is addressed to the correct organization or individual are all essential ways to safeguard PHI when mailing the information.
- Facsimile (fax) – When using a traditional fax machine, a CE can apply the same considerations regarding the confidentiality and security of the transmitted information. Keeping the fax machine in a secure location where only those authorized can use it, using cover sheets with an appropriate privacy disclaimer, verifying the correct fax number before sending a fax, and logging faxes to track them are all examples of reasonable safeguards when sharing PHI by fax.
- Email – While encrypted email is the safest and most preferred method of safeguarding email communication, it is not always required. Other safeguards can include limiting the information contained in an email to the minimum necessary, avoiding transmitting highly sensitive PHI, verifying the recipient's email address, and always including a privacy statement.
- Phone – Making phone calls in a private location is always preferred. However, if that is not possible, lowering your voice in the presence of others and discussing minimum necessary information are appropriate safeguards for protecting PHI while on a phone call. Verifying the phone number before calling and requiring individuals to authenticate themselves by providing their name, address, and/or date of birth when answering the phone are additional recommended safeguards when calling patients to discuss their personal health information.
So, what's the general consensus when it comes to PHI?
As mentioned previously, PHI, including ePHI, refers to individually identifiable information relating to the health status of an individual. Protecting patient privacy including information that could reveal the identity of an individual, their medical history, or their payment history is obviously very important when it comes to patient care. The general idea may seem very simple; treat patient health information as you would like yours treated, and don't tell those who do not need to know. However, it requires creating policies and procedures, providing and taking training, and conducting regular risk analyses. It also requires understanding when to disclose PHI, to whom, and how to do so safely.
Protecting and safeguarding patient health information is an ongoing process and HCP is here to help. We offer training and support to make sure everyone in your organization knows how to safeguard PHI. In the event a breach was to happen, our expanded HIPAA program has you covered. With access to our online breach log, you can submit your "suspected" breaches to us for determination and mitigation. We will determine if a breach has occurred, who needs to be notified, and what corrective action needs to be taken. HCP will also provide you with all the necessary information required by the Department of Health and Human Services.