What are HIPAA's PHI Data Elements?
If you handle patient data in the US, be sure you're not exposing these PHI data elements anywhere in your organization.
If you handle patient data in the US, be sure you're not exposing these PHI data elements anywhere in your organization.
TL;DR
Every business has a legal and moral duty to protect its customers' privacy. This is doubly true if you handle patient data. In this post, I'll review the HIPAA guidelines in the United States, including HIPAA's 18 protected PHI data elements. I'll also discuss how to redact them to keep patient data safe across your organization.
The United States Health Insurance Portability and Accountability Act of 1996, or HIPAA, protects patient privacy in the United States.
HIPAA's Privacy Rule allows patients to determine how medical providers use their healthcare data. It protects patient data from exposure while ensuring the free flow of information across providers.
Anyone who handles patient data must adhere to HIPAA regulations. This includes health care providers, clearinghouses, health plans, and associated businesses (e.g., claims processing, data analysis).
Protected health information, or PHI, comprises all patient health and wellness information. PHI includes medical history, test information, and any personally identifiable information.
Healthcare providers use PHI to track a patient's medical history across multiple providers. Researchers may also use anonymized versions of patient data to study healthcare trends or further the development of new drugs and procedures.
PHI is different than Personally Identifiable Information (PII), which is any information that can be directly or indirectly linked to an individual. PHI is a subset of PII that relates specifically to patient health.
HIPAA's Privacy Rule - specifically, section 164.514 - defines the de-identification standard. Per this standard, there are 18 PHI data elements HIPAA requires you to protect from unauthorized viewing. Companies must remove this information for any patient when their data falls under HIPAA's "Safe Harbor" standard.
The 18 PHI data elements are:
Additionally, the HIPAA Privacy Rule also protects against re-identification. If you assign a unique code to an individual and an unauthorized could use it to find an individual's PHI, that would also be considered a HIPAA violation.
The US Health and Human Services department and US state attorneys general can levy penalties for HIPAA Privacy Rule violations. The penalties aren't light, either.
There are four tiers of HIPAA violation:
Each category potentially has different financial penalties. However, in every case, an organization can face a fine of up to over USD $50,000 per incident. (The exact penalties are adjusted for inflation and increase year over year.)
Yearly federal penalties for Tier 4 violations are capped at around USD $2 million. However, attorneys general can issue separate fines.
Additionally, willful violation of HIPAA rules - e.g., selling PHI data elements on the black market - can incur criminal penalties of up to 10 years in jail.
PHI data elements are often exposed through massive data breaches. And it can happen innocently enough. BayCare Clinic LLP accidentally leaked PHI of up to 134,000 patients when its partner included a tracking pixel in its Web pages.
However, PHI can also be exposed through common workplace business productivity tools. An employee at Atrium Health disclosed PHI when he responded to a phishing email with account credentials.
Leaks can also occur when patients and providers become sloppy about sharing information. For example, providers may email patient data between themselves and other providers. Or patients may send sensitive information - such as their social security numbers - over channels such as email.
That's why redacting data from tools like Slack, Google Workspace, and Office 365 is critical to ensuring compliance with the HIPAA Privacy Rule. Redaction detects sensitive data elements and removes them from emails, documents, chats, customer service records, and server logs before unauthorized individuals can access them.
Few organizations have the time or resources to implement their own custom redaction strategy. That's why Strac supports automated redaction across numerous business productivity applications (SaaS apps like Gmail, Office 365, Slack, Zendesk, Intercom, Salesforce, Notion, Google Drive, One Drive, Sharepoint, AWS CloudWatch logs, AWS Database Services, and more). Ask us for a demo today!
Similarly, if you collect PHI data on your web apps and store on your web servers, you may want to consider tokenizing sensitive data. Check out our related blog post on why should you tokenize sensitive data on your web app/servers.
If you have any questions or want to learn how you can make your app HIPAA-compliant, please book a meeting with us.