The Health Insurance Portability and Accountability Act (HIPAA) of 1996 regulates healthcare information within the United States. The law specifies what constitutes Personally Identifiable Information (PHI) in healthcare and healthcare insurance industries.
While the National Institute of Standards and Technology (NIST) Guide lays down the rules for protecting the confidentiality of PHI, it is the Title II of HIPAA that details the policies and procedures for securing personal health information from fraud and theft. The rules outline what lapses are considered offenses, and the penalties thereon for violations. The Act also provides mechanisms for preventing fraud within the healthcare system and expects covered businesses to follow the protocols of the PHI.
The HIPAA Privacy Rule regulates the use and disclosure of PHI in healthcare treatment, and payment processes by “covered entities” or “business associates”. PHI is any information related to the health status of an individual, his medical record or details of healthcare provisions, and the payment history. “Covered entities” are healthcare clearinghouses, employer-sponsored health plans, health insurers, and medical service providers, while “business associates” are independent contractors of the covered entities. Together, these companies are required to put into practice measures to maintain the confidentiality and integrity of health information and provide patient access to the data
HIPAA is the pioneering effort of the U.S. in the protection of individual health information and leads the way for other countries to incorporate similar protection laws for PHI.
What is Protected Health Information (PHI)
Protected health information refers to the health data received, created, stored, or transmitted by HIPAA-covered entities and business associates in the due course of providing healthcare, maintaining healthcare operations and payments for healthcare services. It includes any information transmitted and maintained by electronic or other media.
Types of Protected Health Information
The HIPAA Privacy Rule deals with the above types of PHI, and all organizations within the healthcare industry are expected to comply.
What qualifies as PHI?
According to HIPAA, the following identifiers qualify as PHI because they identify a human being who has undergone healthcare at any point in time or availed of any healthcare services for which he made payments. As these identifiers have the potential to be used to contact or locate a person, they have high exposure to fraud, data breach or misuse by a third party. Additionally, demographic data and insurance information of the patient associated with any of these identifiers is also considered ‘identifiable’ under the HIPAA Privacy Rule.
What is EPHI?
EPHI (Electronic Protected Health Information) refers to all individually identifiable health information that is created, managed, or transmitted electronically by mHealth and eHealth products; whether on desktop, web, mobile device, or other technology.
Why does PHI matter?
Healthcare companies and their associates registered and operating in the U.S. are regulated by the laws that govern the healthcare industry. They are legally bound to follow the rules within the HIPAA framework; in this case, the Privacy and Security Rules, which place the responsibility for protecting PHI upon the companies. Any incidents of a data breach or privacy violations, failure to protect EPHI, or unlawful sharing and disclosure of any identifiers of the PHI, are liable to be penalized.
Given the rise in risks of cybersecurity and several laws regulating private information, healthcare companies must understand the accountability of any lapses, whether knowingly or unknowingly. Not only does a company lose out on revenue because of penalties and loss of shareholder confidence, but it also loses customers because of the dent in brand value. Why would any patient want his personal information and healthcare records to be shared with third parties?
It means companies operating in the healthcare space must adopt robust processes and highly secure systems to protect PHI and EPHI.
Other laws related to the governance of PHI include the Privacy Act, GLBA, FERPA, COPPA, and FCRA. These laws restrict the sharing of personally identifiable information (PII) including PHI. Unauthorized disclosure or sharing of such information, even EPHI in the digital ecosystem, can pose high risks for the individual whose information is compromised, as well as for the entity responsible for the security of the data.
How to implement PHI?
Covered entities and their business associates must implement appropriate administrative, physical, and technical controls to ensure the confidentiality, integrity, and availability of such information. The process begins with identifying the critical points of PHI that place a patient at risk. The next step is to consider the internal processes in use to keep such PHI safe and secure. It must identify the elements that help keep the information safe and prioritize secure access in its internal controls. The third step involves having suitable agreements that safeguard the company in the case of a data breach. Steps must be taken at every point to ensure that the provisions of HIPAA concerning PHI are complied with in true spirit.
What should healthcare companies do to ensure their integrity?
Under the HIPAA of 1996 and the revisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, healthcare companies that are covered entities must identify the PHI they collect. Further, they must classify the types of PHI gathered from individuals, shared with third parties or used for analytical decision-making or marketing programs.
Obligations under the Privacy Rule
HIPAA makes it compulsory for healthcare companies to disclose PHI to the patient. The law has strict guidelines for maintaining the integrity and security of PHI during storage and dissemination.
According to the Privacy Rule of HIPAA, companies must also provide any PHI to patients upon request, in an electronic PHI format. The procedures for giving patients access to their PHI are specified in the Act. Patient requests for PHI can be made either in digital or handwritten format. Thereupon, the company is required to provide access to the information requisitioned within 30 days. Where the company uses an electronic health record (EHR) system certified under the CEHRT (Certified Electronic Health Record Technology) rule, access to EPHI must be provided in digital format only.
The provider must maintain the integrity of the regulations by making sure that only the following information is given access to: health condition, healthcare plan, test and lab results, notes, and billing information. Confidential psychotherapy notes or other information gathered by the provider stored to defend against any potential lawsuit is excluded from the patient access clause.
Obligations under the Security Rule
The Security Standards of 2003 add value to the Privacy Rule. The Privacy Rule governs PHI in paper and electronic formats. However, the Security Rule looks more closely at the Electronic Protected Health Information (EPHI) with a three-layered protocol for maintaining the highest level of security: administrative, physical, and technical. The Security Rule identifies standards for both, mandatory compliance and implementation. The conditions listed in the Rule must be adopted and implemented as specified. The law gives companies the flexibility to evaluate the risks in their internal systems and controls, so they may devise the best methodologies to implement the specifications. In this context, various software tools have been developed by vendors like Resolve Data to help covered entities analyze the risks and make remediation.
The standards and specifications mentioned in the Security Standards are as follows:
Obligations under the law of the State
As a covered entity your company will have to disclose PHI to law enforcement officials as mandated by the law of the United States of America. It covers receipt of court orders, court-ordered warrants, subpoenas, administrative requests for specific information; or cases of witness identification and runaway or suspect location. Other instances where you are allowed to disclose PHI are when such information is considered critical for facilitating treatment or payment of health care services. In such cases, the information may be shared even without the written consent of the patient.
Generally, a covered entity or business associate is required to follow the criteria of minimum disclosure of information deemed necessary for the stated purpose.
Obligations under the GDPR
The EU’s General Data Protection Regulation (GDPR) is a new data security regulation that came into effect in 2018. It deals with sensitive personal information, including oversight for health-related data. Any international organization based out of the U.S., that handles personal health information of residents within the EU has to comply with the GDPR.
Obligations for secure data and cloud storage in EPHI
Under the HIPAA regulation, health-related data storage companies are considered business associates. The HIPAA rules regulate the storage of physical and digital health data, including cloud storage. Covered entities and business associates must have Business Associate Agreements in place to limit liabilities in the case of data breach incidents. This practice is in addition to the technical, administrative, and physical safeguards maintained by the company.
What needs to be done for adherence and compliance?
The way forward is to digitize health data for patient access to information, health insurance purposes, as well as for the benefit of public health databases and research.
Here are some ways organizations can achieve compliance:
- Encrypt all EPHI to meet the NIST standards, including end-point devices that access or manage information
- Have controls in place to protect PHI from unauthorized modifications, fraud and accidental loss.
- Implement activity audits to track access to PHI and EPHI.
- Control physical access to data and have systems to block unauthorized permission.
- Ensure protection of cloud-stored data by tracking servers.
- Identify risks of PHI and EPHI storage and management, within the company.
- Based on risk assessment, have systematic policies and procedures in place.
- Have a business continuity plan and make use of technologies for proofing your HIPAA compliance.
- Document security incidents and initiate steps before any actual breach occurs.
The Role of AI and ML in HIPAA Compliance
and initiate steps before any actual breach occur. The Role of AI and ML in HIPAA Compliance AI technologies form the bedrock of compliance by detecting patterns and trends.
AI and ML are used for:
- Converting company-identified aspects of the rules into a machine-executable format, for automatic interpretation and execution.
- Auto-detection and implementation of GDPR where the client or patient is a resident of a member country belonging to the EU.
- AI/ML-based solutions can enable companies to ensure that EPHI is safe and secure, by triggering alerts in the case of unauthorized access or change.
- ML enables the analysis of intrusion detection in the case of repeat breach incidents and keeps PHI secure. The reduction of false-positive rates allows a company to be more compliant, thus avoiding loss of brand reputation in the case of data breach or penalties.
- AI allows automation of compliance-based tasks and analysis of PHI in high volumes at high frequencies with automated rules-based systems.
- ML helps to detect patterns with iterative self-learning to apply the updated logic for trends and anomalies in processing and access of PHI.
The two most significant data guidelines of the healthcare industry in the U.S. are the Privacy and Security Rules of HIPAA. Each rule stipulates the procedures to be followed: storage and processing of PHI, robust systems of data storage and cloud storage, stringent controls for access, systematic tracking and documentation, for a highly secure and automated EPHI to protect the health data of patients.
Our Resolve Data solution maintains the integrity of health information with built-in AI-driven algorithms to help you incorporate the HIPAA Rules and comply with the federal regulation. Empowered with our solution, you can now monitor your company’s system for securing PHI and be compliant 24/365.