Someone asks us “What is HIPAA and what do I need to know every week. This blog is meant to provide a basic understanding what the Health Insurance Portability and Accountability Act (HIPAA) is and how we can do our part to protect data.
HIPAA is the Health Insurance Portability and Accountability Act, which sets a standard for patient data protection. There is a series of regulatory standards that organizations must follow if they work with sensitive protected health information (PHI). The terms protected health information (PHI) and personally identifiable information (PII) are often used interchangeably. But, while they may sound like the same thing, some differences set them apart, which is especially true when it comes to HIPAA.
PII Vs. PHI?
PII is any information that can trace to a person’s identity, and PHI applies to HIPAA-covered entities that contain identifiable health information. Assuming that you can use them for the same purpose can lead to compliance issues for any business.
This rule defines what constitutes PHI obtained and held by different entities such as health plans, health insurers, and health care providers like hospitals, practices, or clinics. PHI also refers to any PII, which is any information that can identify an individual, such as name, social security number, payment history, and care details. The Privacy Rule also regulates who can use this information and what they can do with it.
The two may seem similar, but critical distinctions set them apart. While PII is a catch-all term for any information that can lead to an individual’s identity, PHI applies specifically to HIPAA-covered entities that possess identifiable health information.
According to the U.S. Office of Management and Budget, PII – or personally identifiable information – is any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to identify a person uniquely.
Determining Sensitive PII
Sensitive PII is that which could disclose and result in harm to the individual whose name or identity is linked to the information. In determining whether or not PII is sensitive, the context in which the information is used must also be considered. As well as the consideration of context, the association of PII elements can create the need for protection. The following example will help elaborate: an individual’s name would is considered sensitive PII when grouped with their mother’s maiden name and date of birth, but these elements wouldn’t be regarded as sensitive independent of one another.
The following categories of PII are considered sensitive when they are associated with an individual and must be protected when electronically submitted (This list is not meant to be an exhaustive list):
- Place of birth
- Date of birth
- Mother’s maiden name
- Biometric information (identification of humans by their characteristics or traits)
- Medical information
- Personal financial information
- Credit card or purchase card account numbers
- Passport numbers
- Potentially sensitive employment information, such as disciplinary actions or personnel ratings
- Criminal history
- Any information that may stigmatize or adversely affect a person
What to do when you suspect a data breach
Understanding the difference between PII and PHI is essential to guarantee data security and maintain HIPAA compliance. Healthcare organizations that can recognize the complexities of the two may be able to save money, time, and headaches while shielding patients from harm.
The processes of protecting PII and PHI are largely the same. Keeping systems up to date and employing strict cybersecurity standards are crucial. So what do you do if you suspect a security breach? Let us know! Email us as many data points, files and details as you can recall and we will research the matter.
No one wants to be the victim of identity fraud or have our personal information disclosed in public. We need your help to know if a suspected HIPAA violation has occurred. Simply reach out to our security officer using this form and let us know about the incident in question. We will investigate the matter and make every effort to protect and correct any HIPAA violations.
Thank you from all of us to all of you for doing our part in making the video available to all people.