Personally identifiable information: HIPAA compliance key facts
by Kapua Iao
The HIPAA Privacy Rule was established as a set of national standards to ensure that patient privacy and health information are continuously safeguarded.
HIPAA has become even more important today due to the range of data it must protect, both physical and electronic.
Understanding PII vs PHI, as well as their overlap, is the first necessary step to take when implementing security measures to protect patient privacy and identity.
What is personally identifiable information (PII)?
PII is a general term referring to ANY sensitive data used to identify, contact, or locate a specific individual. It is not a term specific to HIPAA regulations.
This includes common identifiers such as full name, date of birth, street or email address, and biometric data.
Additional direct indicators could include:
- Maiden name and mother’s maiden name
- Fingerprint and voice print
- Telephone and fax number
- Social security number
- Passport number
- Driver’s license number
- Taxpayer identification number
- Financial accounts/records
- Account numbers
- Credit card/debit number
- Medical/health records
- IP and MAC address
- Personal property records
- Vehicle registration/title
- License plate number
- Full-face photograph
- Employment records
- Education records
Other identifiers are only regarded as PII when combined with further information; identifying an individual may be difficult without a second or third identifier unless the first is unique enough.
Such identifiers include:
- First name only
- First initial with last name
- Place of birth
- Geographic indicators
- Height or weight
- Basic demographic information
- Zip code
- Date of death
Currently, there is no single entity to oversee PII protection. Rather, a patchwork of several different laws regulate PII on a federal (e.g., COPPA, FCRA, FERPA, GLBA, and the HIPAA Privacy Act), state, city, and industry-wide level.
How does PII compare to PHI?
PHI is defined and watched over by HIPAA regulations. It refers to PII which covered entities utilize or store during the course of patient care. It is only shareable for medical purposes.
But, HIPAA does not just confine PHI to medical records and test results. In fact, PHI is any information that doctors use and/or disclose during the course of care that can identify a patient.
Even if that information doesn’t reveal a patient’s medical history, it is still considered PHI when linked to someone’s health condition. For example, patient name or email alone can be considered PHI if it is in any way associated with a healthcare provider.
PHI-specific identifiers include:
- Medical identification numbers
- Health insurance
- Beneficiary numbers
- Health status
- Blood test results
- Payment history
- Appointment reminders
- Admission and discharge dates
- Medical device identifiers and serial numbers
- Mental health records
HIPAA rules protect all individually identifiable health information stored or transmitted by health organizations.
What safeguards are provided?
Under HIPAA, organizations must limit and secure PHI access within and from covered entities (and their business associates) at all times (i.e., when used, stored, transmitted, removed, disposed, or reused).
RELATED: HIPAA Compliant Email
For example, the HIPAA “minimum necessary standard” restricts the amount and type of information shareable in patient care to the absolute minimum necessary to achieve a stated purpose.
Violations or failures to report a breach can be penalized heavily.
Having a HIPAA compliant data protection strategy ensures effective patient care even while healthcare providers remain diligent about cybersecurity and breach reporting.
Continue taking steps toward compliance
By understanding the what and why of protecting data, health organizations are better able to define how to reduce future risks and costs and create a solid security program.
A helpful next step is to address The National Institute of Standards and Technology’s key factors, useful in determining what is needed for a strong HIPAA compliant cybersecurity program.
Health organizations should ask the following about patient data:
- Is it easy to identify an individual?
- How many would a breach compromise?
- How much harm could be caused?
- Does data use affect impact?
- How do we regulate the information?
- How reachable is the data?
This also includes making sure that any business associate is also following HIPAA best practices in protecting any PII or PHI they are touching.
By law, the HIPAA Privacy Rule applies only to covered entities. Covered entities are typically health plans, health care clearinghouses, and certain health care providers.
That’s why signing a business associate agreement (BAA) becomes essential.
A BAA is a written contract between a covered entity and a business associate that requires the business associate to follow 10 provisions to maintain compliance. It is critical to make sure PHI is protected.
Finally, employee awareness training is essential—employees must understand not only what constitutes PII/PHI but what they need to do to safeguard it.
A strong HIPAA compliant cybersecurity program keeps patients and their personal information, as well as a health organization, safe and secure from cyberattacks.