Protected Health Information, or PHI for short, refers to any data linked to an individual’s health status, medical history, treatment, or payment for care—which makes it possible to identify that individual.PHI includes, but is not limited to, demographics (name, address, date of birth, and contact info), medical records (diagnoses, medications, treatment plans, and lab test results), payment information (insurance and billing details), and biometric data (voice samples, fingerprints, and genetic information).
What is PHI in HIPAA?
According to HIPAA, PHI is transmitted or maintained by a covered entity or their business associate. It can be oral, electronic, or written and includes data created or obtained about an individual in connection with healthcare provision.The following are examples of PHI:
A patient’s name, address, and phone number
A doctor’s notes about a patient’s medical history
A laboratory report with a patient’s name and test results
A prescription for a patient’s medication
An insurance claim form with a patient’s name, policy number, and date of service
The following are examples of information that is not considered PHI under HIPAA:
A patient’s zip code
The name of a city or town
A patient’s age
A patient’s gender
A patient’s occupation
A patient’s hobbies
There are a few exceptions to the definition of PHI. For example, PHI does not include data that has been de-identified, collected from a public source, utilized solely for research purposes, or retrieved by a law enforcement agency.
Which Standard Governs the Control and Safeguarding of PHI in All Forms?
The Health Insurance Portability and Accountability Act is the standard that governs the control and safeguarding of Protected Health Information in all forms. Being a federal law enacted in 1996 to enhance healthcare portability and accountability, HIPAA has two primary sets of regulations: the Privacy Rule and the Security Rule.The Privacy Rule sets standards for how covered entities, which are organizations with access to PHI, can use and disclose that information. The Privacy Rule also grants individuals specific rights concerning their PHI, including access to and modification of their medical records and the option to limit the use and disclosure of their personal health information.The Security Rule outlines stringent measures that covered entities and associated business entities must enforce to safeguard PHI against unauthorized access, use, disclosure, disruption, alteration, or destruction. The Security Rule covers all forms of PHI, including paper records, electronic records, and oral communications.
For How Many Years after a Person’s Death is PHI Protected under HIPAA?
HIPAA protects the privacy of PHI for the life of the individual and for 50 years after their death. This means that all covered entities (CEs) are obliged to continue protecting PHI even after the individual has passed away.The 50-year rule applies to all PHI, regardless of how it was generated or obtained. This includes PHI that is stored in electronic or paper records, as well as PHI that is verbal or intangible.There are a few exceptions to this rule, allowing for PHI disclosure in specific circumstances. For instance, covered entities (CEs) may disclose PHI to examiners, coroners, and funeral organizers to facilitate their duties in investigations or preparing death certificates. Additionally, CEs may disclose PHI to researchers if the project has gained approval from an Institutional Review Board (IRB) and the disclosure is necessary for the research to proceed.CEs must develop and implement policies and procedures to ensure that PHI is protected even after the individual’s death. They must also provide training to their staff on how to handle PHI after the individual’s death, which should cover both the 50-year rule and exceptions to it.
What are Acceptable Methods for Destroying Protected Health Information?
HIPAA provides several acceptable methods for destroying Protected Health Information. These methods are designed to ensure that PHI cannot be reconstructed or read by unauthorized individuals.Acceptable Methods for Destroying Paper PHI
Shredding is the most common and effective method for destroying paper PHI. Shredded material should be at least 1/4-inch in size to prevent reconstruction.
Burning is another effective method for destroying paper PHI. However, it is important to take precautions to prevent the spread of fire or smoke.
Pulping is a method of destroying paper PHI that involves grinding the paper into a fine powder. Pulped PHI can be used to make new paper products but can no longer be reconstructed.
Acceptable Methods for Destroying Electronic PHI
Clearing is the process of removing electronic PHI from a storage device so that it cannot be read. This can be done by overwriting the data with random characters or using a secure erasing tool.
Purging is a more secure method of destroying electronic PHI than clearing. Purging involves exposing the storage device to a strong magnetic field, making it impossible to read the data through non-sophisticated forensic techniques.
Decommissioning is the process of removing electronic PHI from service and ensuring that it cannot be accessed or recovered. This may involve physically destroying the storage device or removing it from the organization’s network.
When Disposing of PHI
Do not simply discard PHI in the trash. This could allow unauthorized individuals to access the information.
Keep PHI secure until it is destroyed. This means storing it in locked cabinets or rooms and restricting access to authorized personnel only.
Document the destruction process. This includes maintaining documentation on the types of PHI destroyed, the methods used for removal, and destruction dates.
By following these guidelines, organizations can help ensure that PHI is disposed of securely and that the privacy of individuals is preserved.