What is Protected Health Information (PHI)? And why is it important?

Safeguarding Personal Health Information (PHI)

“Safeguarding personal health information (PHI) is governed under the Health Insurance Portability and Accountability Act (HIPAA).”

Protecting identifiable health data is the responsibility of everyone who comes into contact with it, including covered entities. Healthcare providers, health plan companies, school districts not covered under FERPA, universities, employers, and federal, state, and local government agencies are mandated to protect PHI data from any security risk.

What is Protected Health Information (PHI)?

PHI is any personal-related information within a medical record. It also serves as an initial collection point for medical research studies, identifying patients for medical trials, developing a confidential list of patients to participate in a survey surrounding current medical treatments, or soliciting feedback from medical device users.

The Importance of Protecting PHI.

Protecting PHI information is critical for the patient, the healthcare practitioner, and various third parties. With the increase in digital medical portals, pharmacies, medical device providers, and shipping companies have all become targets of hackers, cybercriminals, and scammers.

Hackers mainly target electronic medical records (EMR). These records have considerable worth within the dark web.

According to a report filed by CNBC, "On the dark web, medical records sell for $60 compared to $15 for a Social Security number and $3 for a credit card."

Organizations that leaked the PHI also face similar legal, financial, and brand implications. United Healthcare, CaptureRx, and Florida Healthy Kids Corporation suffered massive medical record breaches in 2023 and 2024.

In 2024, the United Healthcare breach cost the healthcare provider nearly $900 million in losses. Specifically, critical hosts that were not monitored and had no multifactor authentication (MFA) enabled caused the breach.

"The CEO of UnitedHealthcare stated during a recent congressional testimony that the company has not yet determined how many patients and health care professionals were affected by the cyberattack on Change Healthcare in February."

Individuals face financial, legal, and personal challenges to overcome without proper protection of PHI data. Individuals face challenging issues with their credit scoring becoming lower, freeze their credit cards and bank accounts, and having to pay for a monitoring service to prevent future data breach issues.

Hackers who access PHI data now have the means to assume the identity of their victims, including the ability to open credit cards, access bank account information, or capture confidential information that could be used later in an extortion attempt.

What Does PHI include?

Within PHI, the following exist within its taxonomy:

• Medical record numbers
• An email address became used as a record designator.
• History of existing medical conditions.
• What prescription medicines are they currently taking?
• What pharmacy does the patient use?
• Login credentials, including biometric passwords or username access to the online portal
• Access to information about end-of-life instructions and contact information of next of kin.

What is the Relationship Between HIPAA and PHI?

PHI is the information within the EMR. HIPAA governs how the data is stored, accessed, transferred, and kept to help maintain health information privacy. Nurses, pharmacists, therapists, radiology technicians, medical insurance company employees, and hospital staff are mandated to protect this information.

Ultimately, HIPAA defines how a medical-related organization maintains the confidentiality, integrity, and availability (CIA) of the EMC and PHI data. Along with establishing the standards for the CIA, HIPAA defines the various fines for any violation or data breach.

HIPAA sets the provisions regarding what PHI is, how long PHI information should be retained, and a score of the data information, including establishing the definition of past, present, and future patent information metadata.

What is Not Considered PHI Under HIPAA?

There are elements of personal information that are not considered PHI under HIPAA:

• A person's name is not considered PHI. Consider how many John Smiths exist in the world.
• The phone number under PHI is only covered under HIPAA if the number became used as part of the record designation.
• The gender of the person is like the phone number; this field is only considered PHI if it is used within the record designator.
• Information exchanged during the appointment setting, such as name and phone number, is not PHI.
• Home address is not considered PHI.
• Employment records not considered PHI under HIPAA
• Student health records covered under FERPA are excluded under HIPAA.
• Any personal information removed from clinical trials or other records not considered PHI under HIPAA.

What is ePHI and the Security Rule Under HIPAA?

“ePHI refers to the electronic form of healthcare information covered under the HIPPA regulation.” Early versions of the HIPAA mandate focus on physical paper handling of medical records, radiology files, and prescription information. As the medical industry moves into more digital platforms, including EMR information, online pharmacies, and connections to the vast network of healthcare ecosystem providers, there is a need to define how to secure, transmit, and protect this new form of data.

Healthcare providers must abide by the Security Rules of the HIPAA electronic protected information mandates. “The Security Rule sets specific mandates for the confidentiality, integrity, and availability of ePHI.” 

Health insurers and clearinghouses collect ePHI for billing, coverage, claim processing, and payments. These entities must also ensure the ePHI is secured and protected under the Security Rule.

Risk Assessment.

Under the HIPAA Security Rule, organizations must assess whether any vulnerabilities or exploits exist that could place PHI information at risk. Following a risk assessment, medical entities must implement measures to remove the exposure discovered during the various inspections, including patching, updating, or deploying additional cybersecurity controls.

Along with completing the risk assessments, all medical entities must maintain proper documentation of these assessments.

What Are Methods and Measures For Protecting PHI?

Protecting PHI information is required for healthcare and associated organizations under HIPAA compliance. HIPAA defines several technical safeguard requirements, including:

• Encrypt all data-at-rest and data-in-transit
• The establishment of Business Associate Agreements (BAA) for cloud-based access and storage of PHI.
• The usage of HITECH compliance cloud-based application providers for hosted applications.
• The enablement of data loss prevention (DLP) technology to scan all outbound email messages and document transfer systems to ensure no PHI information is sent unprotected.
• Multi-factor authentication is required for user access to the portal.

What Cybersecurity Controls Should Deploy Regardless of HIPAA?

HIPAA does not require technology like firewalls, intrusion detection, inbound  email security filtering, and network segmentation; however, the regulation does state all necessary technology solutions relevant to protecting PHI information should be deployed.

Note:  Cyber insurance carriers also take a similar stance regarding healthcare providers' ability to protect PHI data.

Administrative Safeguards.

Security administrative safeguards under the Security Rule are broken down into the following areas:

The Security Management Process.

• “HIPAA defined how security management processes, including risk analysis, risk management, a review process of regular risk assessments, and information systems activity review.”
• HIPAA-managed entities need to continuously update their risk strategy to ensure any new application platforms, network changes, or additional business associate relationships become added as required.

Assignment of Security Responsibility and Accountability.

This rule required all HIPAA-related entities to identify the security officer who is accountable and responsible for creating and implementing all privacy, security, and safeguarding of all HIPAA and PHI information.

Remote and On-site Workforce Security.

This policy is required under the Security Rule to ensure that all HIPAA-related entities have defined and implemented an access control process governing how employees, business associates, and third parties will access ePHI information.

Defining Reasonable Safeguards For Physical Access.

HIPAA-related facilities have several physical control requirements defined within their mandate. These controls include placing security guards at each facility's entrance and installing badge readers to control access to sensitive areas, including on-premise data centers, camera control rooms, and utility areas.

ePHI in the Digital Age For HIPAA-Covered Entities.

The digital transformation within the healthcare industry is ongoing, even after adopting EMR and ambulatory and clinic systems from paper to electronic form.

Cerner, Allscripts, and McKesson systems started with on-premise implementations. Only in recent years have these platforms become cloud-based. Oracle's acquisition of Cerner showed the sped-up growth of medical IT in the cloud, along with the future incorporation of artificial intelligence (AI) and machine learning (ML) embedded within medical applications.

Moving to the cloud and adopting AI and ML represents an advance in healthcare application delivery, optimization of big data, and increased accessibility. However, moving medical data to the cloud and trusting AI, especially with early functional releases, pose enormous risks to medical organizations.

Even with HITECH cloud certifications, hackers still find vulnerabilities within the primary or secondary medical services applications, unpatched cloud-based hosts,  wearable devices, or network devices with no MFA enabled. Within the Security rule, organizations must perform risk assessments to ensure their data is secured, even in the cloud.

Moving to the digital without risk assessments, incident response, and enabling cloud security protection solutions placed HIPPA-related data at significant risk.

In concussion protecting PHI data is required for healthcare-related organizations defined under HIPPA. This involves deploying cybersecurity controls, conducting risk assessments, and defining and enforcing policies governing access, transmission, and encryption of PHI information.

Securing healthcare data requires an equal partnership between medical practitioners and patients. Healthcare providers mandated by HIPAA have critical requirements to help protect data.

• However, users are not governed by HIPPA. Users have a critical role in protecting their data.
• Ensure they use a different username and password on multiple websites.
• Know who you are granting access to your medical data.
• Safely keep all paper correspondence.
• Subscribe to medical identity scanning services from IDStrong to validate if your medical or personal information has been compromised.

Scanning your medical record ID or social security number is critical to ensuring you keep track of any identity thefts.

Cybersecurity solutions are flawed. Hackers will steal medical information. Users leveraging scanning solutions from IDStrong will assess whether their information became compromised from a recent large or small-scale data breach.