Personally Identifiable Information (PII) and HIPAA Compliance
by Rick Kuwahara CMO of Paubox
The HIPAA privacy rule was established as a set of national standards to ensure that patient privacy and an individual’s health information are continuously safeguarded.
The standards ensure that all covered entities protect personally identifiable information (PII) as protected health information (PHI) while providing top patient care.
HIPAA has become even more important today due to the range of data to protect, whether physical or electronic, and in the way it’s stored and transmitted.
Understanding PII and PHI, as well as their overlap, is the first necessary step to take when implementing security measures to protect a patient’s privacy and identity.
What is Personally Identifiable Information (PII)?
PII is ANY sensitive data used to identify, contact, or locate a specific individual.
This includes common identifiers such as full name, date of birth, street or email address, and biometric data.
Additional direct indicators could include:
- maiden name and mother’s maiden name
- fingerprint and voice print
- telephone and fax number
- social security number
- passport number
- driver’s license number
- taxpayer identification number
- financial accounts/records
- account numbers
- credit card/debit number
- medical/health records
- IP and MAC address
- personal property records
- vehicle registration/title
- license plate number
- full-face photograph
- employment records
- education records
Other identifiers are only regarded as PII when combined with further information; finding an individual may be difficult without a second or third identifier unless the first is unique enough.
Such identifiers include:
- first name only
- first initial with last name
- place of birth
- geographic indicators
- height or weight
- basic demographic information
- zip code
- date of death
Currently, there is no single entity to oversee PII protection.
Rather, a patchwork of several different laws regulate PII on a federal (e.g., COPPA, FCRA, FERPA, GLBA, and the Privacy Act), state, city, or industry-wide level.
How does PII compare to PHI?
PHI, defined and watched over by HIPAA regulations, is PII utilized and stored by covered entities for a patient’s well-being.
Any personal data used and/or stored during the course of patient care is considered PHI and should only be shareable for medical needs and at the discretion of the patient.
But, PHI isn’t just confined to medical records and test results.
In fact, any information that can identify a patient and is used or disclosed during the course of care is considered PHI. Even if that information doesn’t reveal a patient’s medical history, it is still considered PHI.
PHI-specific identifiers include:
- medical identification numbers
- health insurance
- beneficiary numbers
- health status
- blood test results
- payment history
- appointment reminders
- admission and discharge dates
- medical device identifiers and serial numbers
- mental health records
HIPAA rules protect all individually identifiable health information stored or transmitted by health organizations.
How does HIPAA provide safeguards?
Under HIPAA, PHI access within and from covered entities (and their business associates) must be limited and secured at all times (i.e., when used, stored, transmitted, removed, disposed, or reused).
For example, the ‘Minimum Necessary Rule’ restricts the amount and type of information shareable in patient care to the absolute minimum necessary to achieve a stated purpose.
HIPAA also addresses the advancement of technologies and patient data with the security rule and later HITECH.
Violations or failures to report a breach can be penalized heavily.
Having a HIPAA compliant data protection strategy therefore ensures continued patient care even while healthcare providers remain diligent about cybersecurity and breach reporting.
Continue taking steps toward HIPAA compliance
By understanding the what and why of protecting data, health organizations are better able to then define how to reduce future risks and costs and create a solid security program.
A helpful next step is to address The National Institute of Standards and Technology’s key factors, useful in determining what is needed for a strong HIPAA-compliant cybersecurity program.
Health organizations should ask the following about patient data:
- How easy is it to identify an individual?
- How many identities are compromised if breached?
- How much harm could be caused?
- Does the way the data is used affect its impact?
- How is the information regulated?
- How reachable is the data?
Consider purging or de-identifying PII no longer needed.
Kept PII must then be stored securely and if transmitted to a patient or another health professional, sent encrypted, with permission.
Finally, employee awareness training is essential—employees must understand not only what constitutes PII/PHI but what they need to do to safeguard it.
A strong HIPAA-compliant cybersecurity program keeps patients and their personal information, as well as a health organization, safe and secure from cyberattacks.