What is Protected Health Information (PHI)

What is EPHI?

EPHI (Electronic Protected Health Information) refers to all individually identifiable health information that is created, managed, or transmitted electronically by mHealth and eHealth products; whether on desktop, web, mobile device, or other technology.

Why does PHI matter?

Healthcare companies and their associates registered and operating in the U.S. are regulated by the laws that govern the healthcare industry. They are legally bound to follow the rules within the HIPAA framework; in this case, the Privacy and Security Rules, which place the responsibility for protecting PHI upon the companies. Any incidents of a data breach or privacy violations, failure to protect EPHI, or unlawful sharing and disclosure of any identifiers of the PHI, are liable to be penalized.

Given the rise in risks of cybersecurity and several laws regulating private information, healthcare companies must understand the accountability of any lapses, whether knowingly or unknowingly. Not only does a company lose out on revenue because of penalties and loss of shareholder confidence, but it also loses customers because of the dent in brand value. Why would any patient want his personal information and healthcare records to be shared with third parties?

It means companies operating in the healthcare space must adopt robust processes and highly secure systems to protect PHI and EPHI.

Other laws related to the governance of PHI include the Privacy Act, GLBA, FERPA, COPPA, and FCRA. These laws restrict the sharing of personally identifiable information (PII) including PHI. Unauthorized disclosure or sharing of such information, even EPHI in the digital ecosystem, can pose high risks for the individual whose information is compromised, as well as for the entity responsible for the security of the data.

How to implement PHI?

Covered entities and their business associates must implement appropriate administrative, physical, and technical controls to ensure the confidentiality, integrity, and availability of such information. The process begins with identifying the critical points of PHI that place a patient at risk. The next step is to consider the internal processes in use to keep such PHI safe and secure. It must identify the elements that help keep the information safe and prioritize secure access in its internal controls. The third step involves having suitable agreements that safeguard the company in the case of a data breach. Steps must be taken at every point to ensure that the provisions of HIPAA concerning PHI are complied with in true spirit.

What should healthcare companies do to ensure their integrity?

Under the HIPAA of 1996 and the revisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, healthcare companies that are covered entities must identify the PHI they collect. Further, they must classify the types of PHI gathered from individuals, shared with third parties or used for analytical decision-making or marketing programs.

Obligations under the Privacy Rule

HIPAA makes it compulsory for healthcare companies to disclose PHI to the patient. The law has strict guidelines for maintaining the integrity and security of PHI during storage and dissemination.

According to the Privacy Rule of HIPAA, companies must also provide any PHI to patients upon request, in an electronic PHI format. The procedures for giving patients access to their PHI are specified in the Act. Patient requests for PHI can be made either in digital or handwritten format. Thereupon, the company is required to provide access to the information requisitioned within 30 days. Where the company uses an electronic health record (EHR) system certified under the CEHRT (Certified Electronic Health Record Technology) rule, access to EPHI must be provided in digital format only.

The provider must maintain the integrity of the regulations by making sure that only the following information is given access to: health condition, healthcare plan, test and lab results, notes, and billing information. Confidential psychotherapy notes or other information gathered by the provider stored to defend against any potential lawsuit is excluded from the patient access clause.

Obligations under the Security Rule

The Security Standards of 2003 add value to the Privacy Rule. The Privacy Rule governs PHI in paper and electronic formats. However, the Security Rule looks more closely at the Electronic Protected Health Information (EPHI) with a three-layered protocol for maintaining the highest level of security: administrative, physical, and technical. The Security Rule identifies standards for both, mandatory compliance and implementation. The conditions listed in the Rule must be adopted and implemented as specified. The law gives companies the flexibility to evaluate the risks in their internal systems and controls, so they may devise the best methodologies to implement the specifications. In this context, various software tools have been developed by vendors like Resolve Data to help covered entities analyze the risks and make remediation.

Obligations under the law of the State

As a covered entity your company will have to disclose PHI to law enforcement officials as mandated by the law of the United States of America. It covers receipt of court orders, court-ordered warrants, subpoenas, administrative requests for specific information; or cases of witness identification and runaway or suspect location. Other instances where you are allowed to disclose PHI are when such information is considered critical for facilitating treatment or payment of health care services. In such cases, the information may be shared even without the written consent of the patient.

Generally, a covered entity or business associate is required to follow the criteria of minimum disclosure of information deemed necessary for the stated purpose.

Obligations under the GDPR

The EU’s General Data Protection Regulation (GDPR) is a new data security regulation that came into effect in 2018. It deals with sensitive personal information, including oversight for health-related data. Any international organization based out of the U.S., that handles personal health information of residents within the EU has to comply with the GDPR.

Obligations for secure data and cloud storage in EPHI

Under the HIPAA regulation, health-related data storage companies are considered business associates. The HIPAA rules regulate the storage of physical and digital health data, including cloud storage. Covered entities and business associates must have Business Associate Agreements in place to limit liabilities in the case of data breach incidents. This practice is in addition to the technical, administrative, and physical safeguards maintained by the company.

What needs to be done for adherence and compliance?

The way forward is to digitize health data for patient access to information, health insurance purposes, as well as for the benefit of public health databases and research.

Technical measures

• Encrypt all EPHI to meet the NIST standards, including end-point devices that access or manage information
• Have controls in place to protect PHI from unauthorized modifications, fraud and accidental loss.
• Implement activity audits to track access to PHI and EPHI.

Physical measures

• Control physical access to data and have systems to block unauthorized permission.
• Ensure protection of cloud-stored data by tracking servers.

Administrative measures

• Identify risks of PHI and EPHI storage and management, within the company.
• Based on risk assessment, have systematic policies and procedures in place.
• Have a business continuity plan and make use of technologies for proofing your HIPAA compliance.
• Document security incidents and initiate steps before any actual breach occurs.

The Role of AI and ML in HIPAA Compliance

and initiate steps before any actual breach occur. The Role of AI and ML in HIPAA Compliance AI technologies form the bedrock of compliance by detecting patterns and trends.

AI and ML are used for:

• Converting company-identified aspects of the rules into a machine-executable format, for automatic interpretation and execution.
• Auto-detection and implementation of GDPR where the client or patient is a resident of a member country belonging to the EU.
• AI/ML-based solutions can enable companies to ensure that EPHI is safe and secure, by triggering alerts in the case of unauthorized access or change.
• ML enables the analysis of intrusion detection in the case of repeat breach incidents and keeps PHI secure. The reduction of false-positive rates allows a company to be more compliant, thus avoiding loss of brand reputation in the case of data breach or penalties.
• AI allows automation of compliance-based tasks and analysis of PHI in high volumes at high frequencies with automated rules-based systems.
• ML helps to detect patterns with iterative self-learning to apply the updated logic for trends and anomalies in processing and access of PHI.