Protected health information: HIPAA facts & best practices

To better protect healthcare data and patient privacy, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA was introduced to ensure the security of Protected Health Information (PHI) and ensure patient privacy. Despite this regulation, the healthcare industry has seen a huge surge in the number of cyberattacks over the years. In 2019 alone, there were 572 reported health data breaches in the U.S. Globally, the healthcare industry came in second for the highest number of breaches during the year. 

Healthcare data has become an increasingly favored target for hackers as a single medical record can fetch up to $1,000 USD on the black market. This isn’t surprising as medical records typically contain a patient's full name, Social Security Number (SSN), date of birth, healthcare insurance data and more, constituting an attractive "information package." 

So, how can healthcare organizations keep in compliance with HIPAA and better safeguard PHI from cyberattacks? It starts with understanding more about what HIPAA is along with implementing best practices to protect healthcare data. 

What is HIPAA?

HIPAA is a U.S. federal law that establishes national standards to protect the privacy and security of sensitive patient health data. While similar to other data protection legislation that governs the collection, use and disclosure of Personally Identifiable Information (PII), HIPAA focuses on providing a balance for the lawful use and disclosure of Protected Health Information (PHI). 

Personally Identifiable Information vs. Protected Health Information

PII is personal identifiable information that can be used alone or with a combination of other data to uniquely identify an individual. Examples of PII include an individual’s full name, birth date, SSN, bank account number, credit card number, email address or Internet Protocol (IP) address. 

PHI is health information (including demographic data) in any form or medium, whether electronic, on paper, or oral, that can be reasonably used to identify an individual. A patient’s past, present or future health status, health care provision, or health care payment data constitute PHI when accompanied by common PII such as full name, birth date and SSN. For example, a medical chart with a patient’s name on it is PHI. Other types of PHI include biometric identifiers, medical record numbers, health insurance beneficiary numbers, and even conversations about patient care or treatment between doctors and nurses.

HIPAA Basics

HIPAA covers a broad range of topics, but there are three main provisions of HIPAA that organizations related to the healthcare sector should be familiar with.

I) HIPAA Privacy Rule

In essence, the HIPAA Privacy Rule aims to protect a patient's privacy while permitting the flow of important health information when necessary. The Privacy Rule requires that covered entities (e.g., health plans, healthcare providers, and healthcare clearinghouses) assess their operational practices and ensure that the necessary measures are in place to limit the use and disclosure of personally identifiable PHI without a patient’s consent. This gives individuals more rights to access, understand and control when and how their health information may be used or shared. 

For covered entities, this means adhering to the "minimum necessary" principle by only using, disclosing or requesting the minimum PHI needed to complete the intended purpose. This includes safeguarding and applying de-identification methods when health data is shared for studies, research or other purposes. There are times when covered entities are permitted to use or disclose PHI. For example, a covered entity may use and disclose PHI when it is required for healthcare operations. 

II) HIPAA Security Rule

HIPAA generally applies to PHI in all forms, but the Security Rule applies specifically to PHI in electronic form, also known as ePHI. According to the Security Rule, covered entities need to maintain appropriate security measures for protecting ePHI, such as ensuring that all ePHI that is created, received, maintained or transmitted is kept confidential, retains integrity, and is accessible and usable on-demand by authorized persons. Recognizing the diversity of covered entities in the healthcare industry, the Security Rule gives covered entities the flexibility to take into account their size, complexity, available infrastructure, cost, risk likelihood and other considerations when determining the best security practices to implement to secure ePHI. 

III) HIPAA Breach Notification Rule

A breach occurs when there is any use or disclosure of PHI that is impermissible under the HIPAA Privacy Rule. In the event that a breach of unsecured PHI happens, the HIPAA Breach Notification Rule dictates that covered entities must provide written notice to affected individuals without reasonable delay, and no later than 60 days from the discovery of the breach. In more severe cases, such as when a breach impacts more than 500 residents of a state or jurisdiction, the covered entities are also required to notify prominent media outlets about the breach. 

These notices must:

• Describe the breach,
•  Identify the types of data involved,
• Provide recommendations on the precautions affected individuals can take, and
• Outline steps the covered entity is taking to investigate and mitigate harm resulting from the breach.

Covered entities are also expected to provide insight on action that has been taken to prevent further breaches from happening. 

Common HIPAA violations

Failing to take HIPAA obligations seriously can be costly. In 2018, one of the largest health benefits companies in the U.S. suffered a devastating data breach that exposed the ePHI of almost 79 million people. This led to a record $16 million fine as the company was found to have violated the HIPAA Privacy and Security Rules. 

Other known HIPAA violations that cost organizations reputational and financial damages have included:

1. ePHI records stored on a public server were accessible without credentials.
2. Unauthorized disclosure of a patient’s PHI by a doctor during a discussion with the media.
3. Failure to revoke access to PHI upon an employee’s termination of employment.
4. Failure to implement security measures sufficient to reduce risks & vulnerabilities after a risk analysis.

HIPAA best practices

The first and most important step towards HIPAA compliance is to be able to answer the question, "Where is all our PHI data stored?" Once you have visibility into where PHI data resides, you can put the right controls in place, such as encryption, de-identification, disposal, and more. 

Below is a list of best practices to guide your organization’s HIPAA compliance efforts.

1. Identify where all your data is.  Compliance starts from data mapping - databases, removable devices, archives, or cloud storages. To implement effective safeguards, you need a blueprint of PHI data storage locations across your organization. 
2. Encrypt patient data. Encryption is an important method to secure data as the data becomes unintelligible to unauthorized persons. Encryption also provides a way to verify the origin and integrity of the data, reducing the risk of accessing data from suspicious sources.
3. Apply de-identification methods. One recommended de-identification technique under the HIPAA Privacy Rule is known as the "Safe Harbor" method, which applies to identifiers such as names, geographical data, dates, telephone numbers, SSN, and medical record numbers. The rationale for de-identification is that once certain identifiers are removed, it is reasonable to believe that the health data is no longer individually identifiable and no longer constitutes PHI. 
4. Dispose of old data. When there are no longer any legal requirements to retain patient data, covered entities should take appropriate steps to dispose of this data. HIPAA recommends that physical copies of patient records that contain PHI be shredded, burnt or pulverized to be unreadable. For ePHI, disposal methods include securely deleting ePHI, or purging and destroying the storage media. 
5. Data access control and monitoring. When was the last time your organization audited employees’ access to patient data? Are permissions terminated when an employee leaves the organization, or when permissions are no longer aligned with the current job function? Access to sensitive PHI should only be granted to employees who "need to know" to perform their jobs effectively, with log management systems enabled to monitor the use and access to said data. 
6. Conduct security awareness training. Security is a shared responsibility. Company policies should require all employees to undergo regular security awareness training to learn how to recognize, report or eliminate potential threats. Informed employees who are fully aware of the consequences of data breaches can greatly reduce the risk of unauthorized use and disclosure of patient PHI. 

Take the first step to HIPAA Compliance with Ground Labs Data Discovery

At Ground Labs, we understand the value and vulnerability of healthcare data. With our flagship Enterprise Recon solution, you can quickly search across your organization to determine where all ePHI resides to identify high-risk, unsecured storage locations. Enterprise Recon comes ready with a PHI-centric data type profile that houses many identifiers listed under the HIPAA Safe Harbor method, including full names, mailing address, driver license number, SSN, drug enforcement agency number, Medicare Beneficiary Identifier (MBI), national health plan identifier, national provider number and health insurance claim number. You can further tailor it to organization-specific requirements such as medical record numbers or account numbers using Enterprise Recon’s custom data types.

Enterprise Recon’s scan scheduling enables this PHI data type profile to capture most data points specific to the U.S., and can be configured to capture other common types of HIPAA-sensitive data like credit card numbers and email addresses. With Enterprise Recon’s powerful remediation capabilities, you can take the Safe Harbor de-identification approach by masking sensitive PHI from the web console, or encrypting data at rest. 

To find out how Enterprise Recon can address your organization’s HIPAA compliance needs, book a demo today.