May 7, 2021 Most healthcare professionals understand many of HIPAA’s regulations are all about safeguarding protected health information (PHI), but there is much confusion in attempting to define what PHI actually is and is not. We all know that things like social security numbers and bank account information should be kept under lock and key but it’s not just the obvious details that could be used maliciously. These are only two examples of the 18 different identifiers that constitute PHI and all it takes is for just one to fall into the wrong hands for your practice to have a HIPAA breach on yours. So ensuring that you’re fully safeguarding this sensitive data starts with having a complete understanding of what needs to be protected and knowing why it’s so important that you do. What are PHI and ePHI? PHI can be defined as any personal health data created, transmitted, received, or stored by a covered entity and their business associate (BA) that could potentially identify an individual. Now between the many documents, forms, records, and other communications that your practice handles on a daily basis – PHI is more than likely featured on most if not all of these things. As you probably already know, and the 86% of providers currently utilizing Electronic Health Records (EHR) can attest to, many of these communications are done so electronically and therefore contain electronically protected health information (ePHI). So whether the information is transferred, received, or simply saved on paper or in an electronic form – if it consists of any one of the following identifiers of PHI, it needs to be properly protected: Why does it need to be protected? So now that you know what fits the bill of PHI – it’s important to know why and how it should be protected. To hackers and other individuals with malicious intent, a healthcare practice containing patients’ sensitive information is a gold mine considering a single medical record can be valued up to $250 on the black market. Now to put that into perspective, financial and banking information is only valued at $5.40 – so why such a large price tag on PHI? Well, unlike a credit card – if your sensitive health information gets into the wrong hands you can’t just cancel the card or change your information. Healthcare data breaches are hard to detect, and once that sensitive information is out there, it’s much more difficult to get back. How should it be protected? As you can see from the 18 identifiers listed above, PHI comes in many different shapes and sizes and requires more than just having locks on your doors and passwords on your computers to keep out of harm’s way. HIPAA law outlines how PHI should be protected in its Security and Privacy rule requirements – providing administrative, technical, and physical controls that are all essential for securing patient data. While these safeguards help to protect PHI when it’s being stored and handled within your practice, encryption is key to maintaining data integrity when it’s being sent or received and proper disposal is crucial when the PHI is no longer needed. So now that you know the what, why, and how – let’s talk about the who. With patient complaints and data breaches continuing to take on all-time highs, it’s more important now than ever to ensure that everyone who works with your patients’ PHI is doing so properly. Best protecting your patients means conducting regular HIPAA training for all staff members, having signed business associate agreements with all third-party vendors, and maintaining a complete compliance program that meets these government requirements and encompasses all the necessary safeguards. While understanding exactly what PHI is and how it should be protected might still be a bit confusing, thanks to Abyde, it doesn’t have to be! Meeting HIPAA standards and safeguarding PHI has never been easier with Abyde’s revolutionary approach and team of HIPAA experts there to support you every step of the way. Schedule a complimentary one-on-one consultation to learn more!
So You Have PHI to Dispose of – Now What?
February 26, 2020 The days of simply shredding paper records and files to dispose of Protected Health Information (PHI) are behind us as the use of technology continues to become more prevalent within the medical industry. Under the HIPAA Privacy Rule, practices are required to implement the proper administrative, technical, and physical safeguards when it comes to protecting patient privacy. This rule dictates that covered entities are responsible for implementing and maintaining these policies. For many practices, disposing of electronic or regular PHI in the proper way may be daunting. Instead of always shredding a paper file, practices now have to follow recommended methods to dispose of data provided by the U.S. Department of Health and Human Services. These methods include: Without a simple checklist to follow, it is difficult to guarantee that the best measures are being taken to protect this secure data. In fact, covered entities and business associates have been hit with hefty fines for not disposing of PHI properly. RELATED: IS YOUR PRACTICE MEETING HIPAA DATA SECURITY REQUIREMENTS? DOWNLOAD OUR HIPAA CHECKLIST AND FIND OUT! In one well-publicized example, a shredding company left thousands of patient files unlocked and unguarded for anyone to take. The shredding company, as well as the covered entity whose files were left unsecured, were both hit with monetary settlements. Another incident of improper PHI handling left almost 10,000 individuals impacted. In this case, a pharmacy disposed of an electronic device used for customer signatures without properly wiping the device first. This exposed a vast amount of PHI including patient names and signatures along with prescription numbers and medication names. Many of these incidents occur due to the lack of policies set in place by the practices for business associates and other outside parties handling patient data. Another case that led to monetary penalties totaling a whopping $140,000 resulted from a medical billing company disposing of 67,000 patient records in a public dumpster. Unfortunately, improper disposal of PHI is the source of many data breaches and HIPAA violations. Implementing the correct policies for disposal of PHI is paramount, and each employee must be trained on proper PHI disposal to ensure that your practice is taking every step possible to keep protected health information secure.