The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule uses protected health information (PHI) to define the type of patient information that's protected by law. PHI is an important factor for HIPAA compliance. But what is PHI? PHI isn't just confined to medical records and test results. In fact, any information that can identify a patient and is used or disclosed during the course of care is considered PHI. Even if the information by itself doesn't reveal a patient's medical history, it is still considered PHI. Understanding what is considered PHI under HIPAA is important for all providers in order to avoid violations that can result in big fines.
There are also other more obvious types of identifiable health information used during the course of a health care service such as:
Any information that can reasonably be used to identify an individual and is used during the course of care is considered PHI.
This is especially important to remember for healthcare organizations (such as the U.S. Department of Health and Human Services), researchers and vendors who collect data for reports, studies and applications. For these purposes, data can be de-identified so it can't be used to identify a patient. HHS even provides guidance on how to de-indentify patient data online. This process occurs everyday for clinical trials and in the growing consumer health industry. In fact, a lot of consumer apps don't even need to be HIPAA compliant because they do not transmit data to a covered entity for patient care.
Under the HIPAA Privacy Act, PHI needs to be protected in all mediums: electronic, paper, and oral. (A common acronym, ePHI, stands for "electronic protected health information.") Covered entities (such as doctor's offices, hospitals, health plans and health care clearinghouses) are all trying to utilize technology to streamline their processes and improve public health and patient care. This makes electronic PHI (ePHI) even more vulnerable to cyberattacks such as the recent rise of ransomware. The HIPAA Security Rule establishes national standards to protect individuals' ePHI that is created and used by covered entities. This includes setting requirements for physical, technical and administrative protections. While covered entities need to insure physical and administrative safeguards, Paubox makes sure technical safeguards are in place for providers when they communicate electronically. Paubox makes HIPAA compliant email easy for everyone to use and doesn't require extra steps for the sender or recipient. Paubox Suite allows patients and medical professionals to exchange PHI securely while using their existing work email accounts. Paubox allows senders to compose and send emails as they normally would and yet enjoy HIPAA compliant encryption. No extra clicks, keywords to type, or portals to login to. The experience is just as seamless for recipients who don't have to download software, create an account, or use a portal to view encrypted email or attachments. Paubox also offers the Paubox Email API, which allows healthcare providers, IT consultants and developers to integrate our seamless and secure email solution into their IT infrastructure.