What is Protected Health Information (PHI)? And why is it important?

  • By Steven
  • Published: Jul 16, 2024
  • Last Updated: Jul 29, 2024

Protected Health Information

Safeguarding Personal Health Information (PHI)

“Safeguarding personal health information (PHI) is governed under the Health Insurance Portability and Accountability Act (HIPAA).”

Protecting identifiable health data is the responsibility of everyone who comes into contact with it, including covered entities. Healthcare providers, health plan companies, school districts not covered under FERPA, universities, employers, and federal, state, and local government agencies are mandated to protect PHI data from any security risk.

What is Protected Health Information (PHI)?

PHI is any personal-related information within a medical record. It also serves as an initial collection point for medical research studies, identifying patients for medical trials, developing a confidential list of patients to participate in a survey surrounding current medical treatments, or soliciting feedback from medical device users.

The Importance of Protecting PHI.

Protecting PHI information is critical for the patient, the healthcare practitioner, and various third parties. With the increase in digital medical portals, pharmacies, medical device providers, and shipping companies have all become targets of hackers, cybercriminals, and scammers.

Hackers mainly target electronic medical records (EMR). These records have considerable worth within the dark web.

According to a report filed by CNBC, "On the dark web, medical records sell for $60 compared to $15 for a Social Security number and $3 for a credit card."

Organizations that leaked the PHI also face similar legal, financial, and brand implications. United Healthcare, CaptureRx, and Florida Healthy Kids Corporation suffered massive medical record breaches in 2023 and 2024.

In 2024, the United Healthcare breach cost the healthcare provider nearly $900 million in losses. Specifically, critical hosts that were not monitored and had no multifactor authentication (MFA) enabled caused the breach.

"The CEO of UnitedHealthcare stated during a recent congressional testimony that the company has not yet determined how many patients and health care professionals were affected by the cyberattack on Change Healthcare in February."

Individuals face financial, legal, and personal challenges to overcome without proper protection of PHI data. Individuals face challenging issues with their credit scoring becoming lower, freeze their credit cards and bank accounts, and having to pay for a monitoring service to prevent future data breach issues.

Hackers who access PHI data now have the means to assume the identity of their victims, including the ability to open credit cards, access bank account information, or capture confidential information that could be used later in an extortion attempt.

What Does PHI include?

Within PHI, the following exist within its taxonomy:

  • Medical record numbers
  • An email address became used as a record designator.
  • History of existing medical conditions.
  • What prescription medicines are they currently taking?
  • What pharmacy does the patient use?
  • Login credentials, including biometric passwords or username access to the online portal
  • Access to information about end-of-life instructions and contact information of next of kin.

What is the Relationship Between HIPAA and PHI?

PHI is the information within the EMR. HIPAA governs how the data is stored, accessed, transferred, and kept to help maintain health information privacy. Nurses, pharmacists, therapists, radiology technicians, medical insurance company employees, and hospital staff are mandated to protect this information.

Ultimately, HIPAA defines how a medical-related organization maintains the confidentiality, integrity, and availability (CIA) of the EMC and PHI data. Along with establishing the standards for the CIA, HIPAA defines the various fines for any violation or data breach.

HIPAA sets the provisions regarding what PHI is, how long PHI information should be retained, and a score of the data information, including establishing the definition of past, present, and future patent information metadata.

What is Not Considered PHI Under HIPAA?

There are elements of personal information that are not considered PHI under HIPAA:

  • A person's name is not considered PHI. Consider how many John Smiths exist in the world.
  • The phone number under PHI is only covered under HIPAA if the number became used as part of the record designation.
  • The gender of the person is like the phone number; this field is only considered PHI if it is used within the record designator.
  • Information exchanged during the appointment setting, such as name and phone number, is not PHI.
  • Home address is not considered PHI.
  • Employment records not considered PHI under HIPAA
  • Student health records covered under FERPA are excluded under HIPAA.
  • Any personal information removed from clinical trials or other records not considered PHI under HIPAA.

What is ePHI and the Security Rule Under HIPAA?

ePHI refers to the electronic form of healthcare information covered under the HIPPA regulation.” Early versions of the HIPAA mandate focus on physical paper handling of medical records, radiology files, and prescription information. As the medical industry moves into more digital platforms, including EMR information, online pharmacies, and connections to the vast network of healthcare ecosystem providers, there is a need to define how to secure, transmit, and protect this new form of data.

Healthcare providers must abide by the Security Rules of the HIPAA electronic protected information mandates. “The Security Rule sets specific mandates for the confidentiality, integrity, and availability of ePHI.” 

Health insurers and clearinghouses collect ePHI for billing, coverage, claim processing, and payments. These entities must also ensure the ePHI is secured and protected under the Security Rule.

Risk Assessment.

Under the HIPAA Security Rule, organizations must assess whether any vulnerabilities or exploits exist that could place PHI information at risk. Following a risk assessment, medical entities must implement measures to remove the exposure discovered during the various inspections, including patching, updating, or deploying additional cybersecurity controls.

Along with completing the risk assessments, all medical entities must maintain proper documentation of these assessments.

What Are Methods and Measures For Protecting PHI?

Protecting PHI information is required for healthcare and associated organizations under HIPAA compliance. HIPAA defines several technical safeguard requirements, including:

  • Encrypt all data-at-rest and data-in-transit
  • The establishment of Business Associate Agreements (BAA) for cloud-based access and storage of PHI.
  • The usage of HITECH compliance cloud-based application providers for hosted applications.
  • The enablement of data loss prevention (DLP) technology to scan all outbound email messages and document transfer systems to ensure no PHI information is sent unprotected.
  • Multi-factor authentication is required for user access to the portal.

Methods and Measures For Protecting PHI

What Cybersecurity Controls Should Deploy Regardless of HIPAA?

HIPAA does not require technology like firewalls, intrusion detection, inbound  email security filtering, and network segmentation; however, the regulation does state all necessary technology solutions relevant to protecting PHI information should be deployed.

Note:  Cyber insurance carriers also take a similar stance regarding healthcare providers' ability to protect PHI data.

Administrative Safeguards.

Security administrative safeguards under the Security Rule are broken down into the following areas:

The Security Management Process.

  • HIPAA defined how security management processes, including risk analysis, risk management, a review process of regular risk assessments, and information systems activity review.”
  • HIPAA-managed entities need to continuously update their risk strategy to ensure any new application platforms, network changes, or additional business associate relationships become added as required.

Assignment of Security Responsibility and Accountability.

This rule required all HIPAA-related entities to identify the security officer who is accountable and responsible for creating and implementing all privacy, security, and safeguarding of all HIPAA and PHI information.

Remote and On-site Workforce Security.

This policy is required under the Security Rule to ensure that all HIPAA-related entities have defined and implemented an access control process governing how employees, business associates, and third parties will access ePHI information.

Defining Reasonable Safeguards For Physical Access.

HIPAA-related facilities have several physical control requirements defined within their mandate. These controls include placing security guards at each facility's entrance and installing badge readers to control access to sensitive areas, including on-premise data centers, camera control rooms, and utility areas.

ePHI in the Digital Age For HIPAA-Covered Entities.

The digital transformation within the healthcare industry is ongoing, even after adopting EMR and ambulatory and clinic systems from paper to electronic form.

Cerner, Allscripts, and McKesson systems started with on-premise implementations. Only in recent years have these platforms become cloud-based. Oracle's acquisition of Cerner showed the sped-up growth of medical IT in the cloud, along with the future incorporation of artificial intelligence (AI) and machine learning (ML) embedded within medical applications.

Moving to the cloud and adopting AI and ML represents an advance in healthcare application delivery, optimization of big data, and increased accessibility. However, moving medical data to the cloud and trusting AI, especially with early functional releases, pose enormous risks to medical organizations.

Even with HITECH cloud certifications, hackers still find vulnerabilities within the primary or secondary medical services applications, unpatched cloud-based hosts,  wearable devices, or network devices with no MFA enabled. Within the Security rule, organizations must perform risk assessments to ensure their data is secured, even in the cloud.

Moving to the digital without risk assessments, incident response, and enabling cloud security protection solutions placed HIPPA-related data at significant risk.

In concussion protecting PHI data is required for healthcare-related organizations defined under HIPPA. This involves deploying cybersecurity controls, conducting risk assessments, and defining and enforcing policies governing access, transmission, and encryption of PHI information.

Securing healthcare data requires an equal partnership between medical practitioners and patients. Healthcare providers mandated by HIPAA have critical requirements to help protect data.

  • However, users are not governed by HIPPA. Users have a critical role in protecting their data.
  • Ensure they use a different username and password on multiple websites.
  • Know who you are granting access to your medical data.
  • Safely keep all paper correspondence.
  • Subscribe to medical identity scanning services from IDStrong to validate if your medical or personal information has been compromised.

Scanning your medical record ID or social security number is critical to ensuring you keep track of any identity thefts.

Cybersecurity solutions are flawed. Hackers will steal medical information. Users leveraging scanning solutions from IDStrong will assess whether their information became compromised from a recent large or small-scale data breach.

Related Articles

How To Make Your IG Account Private

There are occasions when it makes more sense to have a private Instagram (IG) account. You might w ... Read More

Windows 10 Privacy Settings You Should Change Now

Privacy is a buzzword we hear a lot these days in the wake of data breaches, Wikileaks, and other ... Read More

How to Delete Your Facebook Account

It might seem absurd to some people who live on Facebook, deleting your Facebook account. But, man ... Read More

How to Change Network From Public to Private On Windows

Privacy has become a major concern for many of us after reading about all the data breaches, hacki ... Read More

Twitter Security and Privacy Settings Made Simple

With data breaches and ransomware intrusions in the news daily, privacy is the word on everyone’ ... Read More

Latest Articles

What You Need to Know about the Delta Dental Data Breach

What You Need to Know about the Delta Dental Data Breach

Delta Dental is a dental insurance provider serving over 90 million Americans. It offers coverage in all 50 states, Puerto Rico, and Washington, D.C. The company was established in 1966 in California as part of the Delta Dental Plans Association.

What You Need to Know about the Hot Topic Data Breach

What You Need to Know about the Hot Topic Data Breach

Hot Topic plays in the fashion, apparel, and shoe industry as a retailer of music-influenced apparel and accessories, such as jeans, tops, belts, dresses, pajamas, sunglasses, jewelry, and tees.

Google Voice Scams: What They Are and How to Stay Safe

Google Voice Scams: What They Are and How to Stay Safe

Google Voice scams continue to pose a risk for users of this service. Scammers continuously attempt to lure users into divulging their verification PIN code.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close