Healthcare data breaches are sadly a regular occurrence in the industry, and there is no indication that the trend will slow down. With cybersecurity threats such as ransomware and malware becoming a popular choice for cyber criminals to gain access to valuable data, such as protected health information (PHI) covered entities must have comprehensive healthcare data security measures.
But why is PHI so valuable and frequently sought out by malicious third parties?
Health information is more valuable than just credit card information or financial data alone. A cyber criminal could sell the records on the black market – or increasingly popular Dark Web – for more money than a Social Security number.
With such medical information in hand, individuals could get access to prescription medication, receive medical care, and also have access to someone’s financial data.
The HIPAA Privacy Rule requires entities to protect all individually identifiable health information. In addition to demographic data, PHI includes all records or data on the following, according to HHS:
- The individual’s past, present or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual
For example, PHI can include an individual’s diagnoses, name of the physician who provided treatment, and types of prescribed medications.
The Privacy Rule is meant to find the right balance between protecting patient PHI, while still allowing for the flow of health information, according to HHS. This will “provide and promote high quality health care and to protect the public's health and well being,” officials say.
“The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing,” the Privacy Rule summary explains. “Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.”
Understanding what PHI includes, and why securing this data is so important will help organizations ensure that they take the necessary steps to keep it secure.
Moving from PHI security to ePHI security
Legal health records have been slowly migrating to digital formats as technology continues to evolve. Healthcare organizations are implementing electronic health records (EHRs), and need to ensure that they have strong cybersecurity measures to keep data secure in all formats.
The American Health Information Management Association (AHIMA) released guidance on the definition of a legal health record in 2011 as patient records began to make the shift to digital.
"The legal health record is the documentation of healthcare services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization," AHIMA said. "An organization's legal health record definition must explicitly identify the sources, medium, and location of the individually identifiable data that it includes (i.e., the data collected and directly used in documenting healthcare or health status)."
"The documentation that comprises the legal health record may physically exist in separate and multiple paper-based or electronic systems."
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.
The definition of PHI includes the form of the data. The use of the phrase electronic PHI (ePHI) has become more popular with the rise of digital information.
“An EHR alters the mix of security needed to keep patient health information secure, and it brings new responsibilities for safeguarding your patients’ health information in an electronic form,” the Office of the National Coordinator (ONC) states on its website.
“The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI,” ONC continued. “These safeguards, when applied well, can help you avoid some of the common security gaps that lead to cyber attack or data loss. They can protect the people, information, technology, and facilities that you may depend on to carry out your primary mission: helping your patients.”
With paper records, organization had to ensure that file cabinets remained locked. For electronic media, technical safeguards such as firewalls, anti-virus software, and data encryption are essential tools for keeping data secure.
How HIPAA defines a PHI data breach
A PHI data breach does not always necessarily occurr when a covered entity or business associate experiences a data security incident. HHS requires organizations to conduct a risk assessment to determine the probability it was that PHI was, in fact, compromised.
The nature and extent of the PHI involved must first be determined, according to HHS. This is also the step where entities need to find the types of identifiers involved and the likelihood that the data could be matched back to the identities of individuals.
Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.
Following that, organizations must pinpoint the unauthorized individual who accessed the PHI. For example, a hospital would need to determine which employee received or viewed the data, and whether that individual was authorized or not.
HHS also requires entities to determine if the PHI was actually acquired or viewed, as well as the extent to which the risk to the PHI has been mitigated.
“Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information,” HHS explains on its website. “Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”
There are also three notable exceptions to a “breach,” per HHS regulations.
“The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority,” HHS says.
Second, inadvertent PHI disclosure between authorized individuals may not be considered a PHI data breach. For example, if a physician who is authorized to access PHI inadvertently discloses the data to a hospital that is authorized to access PHI from her facility, an investigation may not be necessary. The HIPAA Privacy Rule states that the data cannot be further used or disclosed in a manner that it does not permit.
“The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information,” according to HHS.
Understanding patient PHI access
HIPAA violation concerns can also lead to confusion over patient data access, even hindering patients from being able to access and view their own PHI.
Patients have a right to access and obtain copies of their health information for their own purposes. A HIPAA covered entity can refuse access only in very limited circumstances.
“Health care providers often tell ONC and OCR that HIPAA makes it difficult to share electronic health information,” ONC explained in a 2016 report. “While erroneous, this misconception about HIPAA is widespread and unfortunate in that it places a needless burden on individuals.”
This data can include a variety of information, such as laboratory results, images, prescription history, physician notes, diagnoses, and similar information.
Under HIPAA, patients also have the right to access an electronic copy of their health information contained in an EHR or otherwise maintained in an electronic format. This is the case “whenever an electronic copy is readily producible by the provider or its business associate, not just if they are willing to produce such information,” according to HHS.
ONC stated when individuals understand the scope of their rights and are able to access their own information, overall patient care will benefit.
While erroneous, this misconception about HIPAA is widespread and unfortunate in that it places a needless burden on individuals.
“When individuals get, review, use and share copies of their health information, they are better able to monitor chronic conditions, make sure that their health information is accurate, and share their information with others ensuring that their health information is available at the right place and at the right time,” ONC stated.
ONC added that individuals “have a nearly absolute right to a copy of their own health records” and the costs for access are limited by federal regulation, although covered entities may charge certain permissible fees when patients request copies of their health information.
“Charging a flat fee not to exceed $6.50 per request is therefore an option available to entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically,” HHS stated in clarification released in 2016.
Covered entities can estimate the average allowable cost for processing patient requests or maintain a schedule for typical allowable labor costs.
Under HIPAA, allowable costs are the charges associated with copying PHI, such as paper supplies, toner, electronic media, labor for creating an explanation of health information, and postage. Patients can also be charged for tasks including photocopying paper records, scanning PHI into electronic format, converting the format of PHI, transferring data to a web-based portal, or mailing and emailing data.
Covered entities are also allowed to vary the price of obtaining personal health records for uncommon requests.
“In these cases, the entity may wish to calculate actual costs to provide the requested copy, and it may do so as long as the costs are reasonable and only of the type permitted by the Privacy Rule,” HHS explained. “An entity that chooses to calculate actual costs in these circumstances still must—as in other cases—inform the individual in advance of the approximate fee that may be charged for providing the copy requested.”
HHS also noted that individuals may need more access to their own health information to improve patient-centered care. The push toward value-based care will also likely require patients to seek additional access to their own data.
“HIPAA’s right of access is critical to enabling individuals to take ownership of their health and well-being – but this core right is rendered meaningless when individuals cannot afford to pay the fees,” previous OCR Director Jocelyn Samuels wrote in a blog post.
“Today’s clarification moves us toward the health care ecosystem of the future, where the individual is at the center of his or her care and seamless communication of relevant health information takes place among patients, their families, and their health care providers.”