Avoiding protected health information (PHI) exposures

Protected health information (PHI) refers to any information related to an individual’s health, treatment, or payment for healthcare services. Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations must safeguard PHI to preserve patient privacy, prevent identity theft, and foster patient trust in the healthcare system. Organizations can ensure PHI’s confidentiality, integrity, and availability by implementing robust, HIPAA compliant security measures.

This includes security strategies such as secure access controls, data encryption, employee training, regular risk assessments, and compliance with state regulations, along with HIPAA, to prevent unauthorized access, use, or disclosure of sensitive health data. The unsecured transmission of PHI is one of the most common types of HIPAA breaches, but it is also easy to avoid with the right mix of safe cybersecurity tools, including HIPAA compliant email.

What qualifies as PHI?

Before implementing protections, organizations must first understand what constitutes PHI. It encompasses a broad range of details that can connect an individual to their health status, history, or treatment. It includes a patient’s personally identifiable information (PII) and all health-related data:

• Names: Full names, nicknames, or any variations
• Addresses: Physical and email addresses
• Contact numbers: All contact numbers, mobile or landline, including fax numbers
• Social security numbers: Sensitive information linking to identity and financial records
• Dates: Birthdates, admission and discharge dates, appointment dates
• Codes: Diagnostic, procedure, and billing codes
• Geographic data: City, state, or region information
• Medical records: Physical and electronic records, insurance information, or billing information

Electronic PHI (ePHI) is PHI that is held or transferred in electronic form. Really, PHI can exist in any form: paper, electronic, or spoken. It isn’t just related to medical records or individually identifiable health markers but can be anything that identifies a patient and is used during care.

Read more: What are the 18 PHI identifiers?

What protects PHI?

The primary safeguard for PHI is HIPAA. HIPAA establishes strict guidelines for the use, disclosure, and protection of PHI, ensuring the confidentiality of individuals’ health information. The HIPAA Privacy Rule establishes the national standards to protect PHI, while the Security Rule creates a framework for the defense of ePHI. To enhance data confidentiality, healthcare organizations must prioritize HIPAA compliance by using strong security measures.

HIPAA compliance promotes strong data security, especially as data breaches in the healthcare industry continue to increase in size and breadth. According to reports, the total number of individuals affected by healthcare data breaches from 2005 to 2019 was 249.09 million. Of these, 157.4 million individuals were impacted in the last five years alone. More recent reports also show that healthcare data breaches exposed 275 million records in 2024 alone.

HIPAA’s regulations safeguard personal information against unauthorized access and identity theft, mitigating potential financial and reputational damages. Ultimately, HIPAA's emphasis on PHI protection is a cornerstone in building a reliable and patient-centric healthcare system.

See also: How to be HIPAA compliant without worrying about HIPAA compliance

How do breaches of PHI usually occur?

A breach occurs when PHI is accessed, used, or disclosed in a way that violates HIPAA regulations. For example, when PHI is transmitted over an unsecured channel. Data breaches can affect individuals, businesses, and even governments in the short term and long term. The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) lists on its online breach notification portal all reported breaches from the last 24 months that affect 500 individuals or more.

Given its content and use, officials and healthcare organizations commonly call the list the Wall of Shame. Common breach types listed in the portal are:

• Hacking/IT incident
• Improper disposal
• Loss
• Theft
• Unauthorized access/disclosure
• Unknown
• Other

The HIPAA Privacy Rule imposes strict requirements on the handling, transmission, storage, and disposal of PHI, granting patients the right to the privacy and security of their information.

The unsecured transmission of PHI

The unsecured transmission of PHI is one of the most common types of HIPAA breaches, even though PHI is subject to strict security regulations. This type of breach occurs when PHI is transmitted over unencrypted communication channels without proper safeguards. Widespread ways that unsecured transmission can happen include:

1. Sending an unencrypted email: Emails that contain PHI should be encrypted to prevent unauthorized access. If the email is not encrypted, it can be intercepted by third parties, including hackers and other malicious actors.
2. Sharing PHI through an unsecured messaging app: Similar to email, PHI should not be transmitted through unsecured messaging apps without encryption or other appropriate safeguards.
3. Faxing PHI to the wrong recipient: If a fax intended for a specific healthcare provider is accidentally sent to a business or individual without a legitimate need for the information, it can be considered a HIPAA violation.

HIPAA tries to ensure that personal information remains secure while giving patients the opportunity to select their preferred communication method. Unfortunately, HIPAA violations can result in costly fines and lost business.

Defining a HIPAA violation

A HIPAA violation occurs when a covered entity or business associate fails to comply with the regulations outlined in HIPAA, resulting in a data breach. This could involve:

• The unauthorized disclosure of PHI
• Having inadequate safeguards in place to protect PHI
• Failure to provide patients with access to their medical records
• Failure to comply with HIPAA regulations related to privacy, security, or breach notification

HIPAA violations can occur in numerous ways, regardless of whether individuals and companies understand they are making a violation. Willful neglect is the worst type of violation; such data breaches can cause serious harm to patients and organizations. Moreover, even an accidental HIPAA breach can result in reputational damage, legal penalties, and fines.

OCR-related fines can range from $100 to $50,000 per violation, and the maximum penalty can be as high as $1.5 million per year, depending on the severity of the infraction. A PHI breach could even result in imprisonment or a lengthy class-action lawsuit, as we have seen recently against Integris Health and Morris Hospital & Healthcare Centers.

Go deeper: Understanding HIPAA violations and breaches

What should happen after a PHI breach?

If PHI is exposed, health organizations should immediately secure the breached location. For example, if an email account is compromised, the email password should be changed and any health data removed. Then organizations should conduct thorough investigations to determine the extent of the breach, identify data exposed and vulnerabilities, and create a plan for mitigation.

At this point, organizations should initiate their breach notification procedures and ensure that all affected individuals are informed according to legal requirements. Moreover, they should take swift corrective actions to lessen immediate risks and implement preventative measures to stop future incidents.

The breach notification process promotes accountability and transparency, ensuring that patients, HHS, and the media are promptly notified of any potential violations of their privacy. Complying with this responsibility helps strengthen the trust between patients and healthcare providers, giving anyone affected time to take appropriate measures to safeguard themselves.

Read more: How to respond to a data breach

Best practices to avoid PHI exposure

Securing PHI involves a layered approach to HIPAA’s physical, administrative, and technical safeguards. Physical safeguards include physical access controls on facilities, workstations, and devices. Administrative measures include policies and procedures that address such topics as training, risk analysis, and access management. Technical safeguards include electronic access controls, encryption, and automated audit trails.

With these safeguards are numerous methods that can help an organization to compliantly secure its network. To ensure the protection of PHI and compliance with HIPAA regulations, covered entities should consider implementing the following best practices.

• Continuously train staff on HIPAA, cyber issues, and cybersecurity
• Create, update, and share policies and procedures with staff
• Implement strong access controls (e.g., role-based access controls (RBAC))
• Encrypt PHI when at rest and in transit
• Establish protocols on who can access certain types of data (i.e., minimum necessary)
• Secure all utilized communication channels
• Vet business associates with an established vendor management program
• Conduct regular risk assessments
• Establish incident response and disaster recovery plans
• Perform regular data backups, audits, and monitoring
  
  

Learn about the minimum necessary rule

The minimum necessary rule is a fundamental component of HIPAA that ensures only the smallest amount of PHI is used, disclosed, or requested for a specific purpose. Healthcare entities should be selective when it comes to PHI, ensuring that information shared is tailored to meet specific needs to avoid unnecessary exposure. According to HHS, “The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed. . . . The Privacy Rule’s requirements for minimum necessary are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity.”

In practice, healthcare organizations should develop and implement policies to share the least amount of PHI needed for specific tasks or roles. The rule balances the need for healthcare professionals to share information for effective patient care with the importance of maintaining privacy. Adhering to HIPAA protects patients and minimizes the risk of unauthorized access, letting organizations concentrate on patient care.

More Paubox blogs all about PHI:

• Examples of protected health information (PHI) in healthcare
• How to avoid unsecured transmission of PHI
• FAQs: Protected health information (PHI)
• Do you need patient consent to share PHI through Paubox Text Messaging?
• Identifying PHI in emails
• Can you use email to transmit PHI?
• HIPAA email compliance: 9 steps to protect PHI
  
  

FAQs

What is the best way to share PHI?

The best way to share PHI is by sending secure emails to users to access PHI. Users are directed to safe environments by employing secure connections, which offer more data protection.

How do you communicate with PHI?

To securely communicate PHI to users, transmit it as a password-protected or encrypted attachment. Also, avoid including patient names, identifiers, or other specific details in the subject heading of the communication. Instead, incorporate a confidentiality banner such as “This is confidential medical communication.”

How does the minimum necessary standard affect the sharing of PHI during emergencies?

In emergencies, the standard is relaxed to allow for necessary disclosures to ensure the health and safety of individuals. However, reasonable efforts should still be made to limit the information shared.

What rights do patients have regarding their PHI?

Patients' rights related to their PHI include the ability to access their health records, request corrections for inaccuracies, and ask for restrictions on the use and disclosure of their PHI. If their rights are violated, patients can file complaints to reinforce the importance of protecting their privacy.

How are patients notified of PHI breaches?

In case of a security breach involving unprotected PHI that could pose a significant danger, healthcare organizations must inform the impacted individuals. This notification process promotes accountability and transparency, ensuring that patients are promptly notified of any potential violations of their privacy. Complying with this responsibility helps strengthen the trust between patients and healthcare entities, providing individuals with the necessary information to take appropriate measures to safeguard themselves in the event of a PHI breach.