Board Login
This is supplemental training for Better Health Partnership. Please read this page carefully and, at the end, click the link to take you to a page where you can attest that you understand this material. If you need help understanding this, please email [keith] khagans@betterhealthpartnership.org to review the materials in detail. We must understand what PHI is and what information is available about it.
Three important HIPAA Rules?
The Privacy Rules set the standards for those with access to PHI.- Giving patients more control over their health information, including the right to review and obtain copies of their records.
- Setting boundaries on the use and release of health records.
- Requiring standard safeguards that covered entities must implement to protect PHI from unauthorized use or access.
- Ensure the confidentiality, integrity, and availability of the ePHI they receive, maintain, create, or transmit.
- Identify and protect against threats to the security or integrity of the information.
- Reasonably protect against impermissible uses or disclosures.
- Could you ensure compliance by their workforce?
The Minimum Necessary Standard prevents the sharing of too much information.
Securing PHI records
- Digital information requires a password to access it.
- Digital information must be encrypted.
Transmission and storage of electronic records
- Secure email is not the preferred method of sending PHI, and it is not prohibited by Heath and Human Services (HHS) but it can be used if necessary. If you do use it ensure you have “[SECURE]” in the subject line.
- sFTP This is the safest and preferred method for sending PHI.
How to Securely Delete PHI on Electronic Devices
When you delete a file on any electronic device, it appears to be gone. However, the device did not delete it; it just removed a marker pointing to it. The file is still there. The same thing happens when you format a hard drive.
When you put a piece of paper in a trash can, you can pull it out if you want it back. You have done the same with an electronic device. The file(s) are still there. You never delete data; it must be removed.
You remove data from electronic devices by using special software to overwrite data with non-sensitive data, purging or degaussing with a strong magnet, melting, incinerating, or shredding. Destroying the device is recommended if you no longer need the equipment.
Loss or Theft of Devices
When you lose a device that contains PHI, there is a replacement cost. There could also be a HIPAA violation. Here are two incidents that resulted in fines.
This violation occurred at the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).
In June 1996, there was a stolen iPhone which had PHI. The iPhone was not password protected or encrypted and anyone could look at the data on the iPhone. This exposed the PHI of 412 nursing home residents and their families.
The fine was over $600,000.
A Medical Center in Rochester lost a laptop and flash drive that had PHI. A fine of $3 million was issued since there was no encryption.
Store devices with PHI in a secure location. Not doing this could result in loss or theft of the device. If the device is not password protected or encrypted, the loss becomes even more severe.
Please report your missing device that stores PHI right away.
De-identified Data
The following identifiers of the individual or relatives, employers, or household members of the individual must be removed:
(A) Names
(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
(C) All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
(D) Telephone numbers
(E) Fax numbers
(F) Email addresses
(G) Social security numbers
(H) Medical record numbers
(I) Health plan beneficiary numbers
(J) Account numbers
(K) Certificate/license numbers
(L) Vehicle identifiers and serial numbers, including license plate numbers
(M) Device identifiers and serial numbers
(N) Web Universal Resource Locators (URLs)(O) Internet Protocol (IP) addresses
(P) Biometric identifiers, including finger and voice prints
(Q) Full-face photographs and any comparable images
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section [Paragraph (c) is presented below in the section “Re-identification”]; and
(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
Satisfying this method would demonstrate that a covered entity has met the standard in §164.514(a) above. The Privacy Rule does not protect de-identified health information created following these methods because it does not fall within the definition of PHI. Of course, de-identification leads to information loss, which may limit the usefulness of the resulting health information in certain circumstances.