The HIPAA Privacy Rule was established as a set of national standards to ensure that patient privacy and health information are continuously safeguarded. HIPAA standards ensure that all covered entities treat personally identifiable information (PII) as protected health information (PHI) while providing top patient care. HIPAA has become even more important today due to the range of data it must protect, both physical and electronic. Understanding PII vs PHI, as well as their overlap, is the first necessary step to take when implementing security measures to protect patient privacy and identity.
PII is a general term referring to ANY sensitive data used to identify, contact, or locate a specific individual. It is not a term specific to HIPAA regulations. This includes common identifiers such as full name, date of birth, street or email address, and biometric data.
Other identifiers are only regarded as PII when combined with further information; identifying an individual may be difficult without a second or third identifier unless the first is unique enough.
Currently, there is no single entity to oversee PII protection. Rather, a patchwork of several different laws regulate PII on a federal (e.g., COPPA, FCRA, FERPA, GLBA, and the HIPAA Privacy Act), state, city, and industry-wide level.
PHI is defined and watched over by HIPAA regulations. It refers to PII which covered entities utilize or store during the course of patient care. It is only shareable for medical purposes. But, HIPAA does not just confine PHI to medical records and test results. In fact, PHI is any information that doctors use and/or disclose during the course of care that can identify a patient. Even if that information doesn’t reveal a patient’s medical history, it is still considered PHI when linked to someone’s health condition. For example, patient name or email alone can be considered PHI if it is in any way associated with a healthcare provider.
HIPAA rules protect all individually identifiable health information stored or transmitted by health organizations.
Under HIPAA, organizations must limit and secure PHI access within and from covered entities (and their business associates) at all times (i.e., when used, stored, transmitted, removed, disposed, or reused).
RELATED: HIPAA Compliant Email For example, the HIPAA "minimum necessary standard" restricts the amount and type of information shareable in patient care to the absolute minimum necessary to achieve a stated purpose. HIPAA also addresses the advancement of technologies and patient data with the HIPAA Security Rule and the HITECH Rule. Violations or failures to report a breach can be penalized heavily.
RELATED: The Complete Guide to HIPAA Violations Having a HIPAA compliant data protection strategy ensures effective patient care even while healthcare providers remain diligent about cybersecurity and breach reporting.
Consider purging or de-identifying PII no longer needed. Any remaining PII must be stored securely and if transmitted to a patient or another health professional, sent encrypted, with permission. This also includes making sure that any business associate is also following HIPAA best practices in protecting any PII or PHI they are touching. By law, the HIPAA Privacy Rule applies only to covered entities. Covered entities are typically health plans, health care clearinghouses, and certain health care providers. That's why signing a business associate agreement (BAA) becomes essential. A BAA is a written contract between a covered entity and a business associate that requires the business associate to follow 10 provisions to maintain compliance. It is critical to make sure PHI is protected. Finally, employee awareness training is essential—employees must understand not only what constitutes PII/PHI but what they need to do to safeguard it. A strong HIPAA compliant cybersecurity program keeps patients and their personal information, as well as a health organization, safe and secure from cyberattacks.