What is Considered PHI under HIPAA?

Any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity is considered as PHi under HIPAA.

A HIPAA-covered entity refers to a healthcare provider, health plan or health insurance firm or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the supply of healthcare or payment for healthcare services.

It is not only former and current health information that is considered PHI under HIPAA Regulations, but also future information about medical conditions or physical and mental health associated to the provision of care or payment for treatment. PHI is health information in any shape or form, including physical records, electronic records, or spoken data.

Therefore, PHI is health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it features individual identifiers. Demographic information is also referred to as PHI under HIPAA Rules, as are many common identifiers such as patient names, Social Security numbers, Driver’s license numbers, insurance details, and birthday information, when they are connected with health information.

The 18 identifiers that make health information PHI include:

One or more of these identifiers transforms health information into PHI and PHI HIPAA Privacy Rule restrictions will then apply, which control uses and sharing of the information. HIPAA covered entities and their business associates will also need to ensure proper technical, physical, and administrative safeguards are established to ensure the confidentiality, integrity, and availability of PHI, as stipulated in the HIPAA Security Rule.

When is PHI not Considered PHI?

A common mistake is thinking that all health information is considered PHI under HIPAA as there are some exceptions to this.

First, it depends who captures the information. A good example would be health trackers – such as physical devices worn on the body or apps on mobile phones. These devices can track health information including heart rate or blood pressure, which would be considered PHI under HIPAA Rules if the information was captured by a healthcare provider or was used by a health plan.

However, HIPAA only governs HIPAA-covered entities and their business associates, so if the device manufacturer or app developer has not been hired by a HIPAA -covered entities and is a business associate, the information recorded would not be thought of as PHI under HIPAA.

The same applies to education or employment histories. A hospital may save data on its employees, which can incorporate some health data – allergies or blood type for example – but HIPAA does not apply to employment history nor education records.

Under HIPAA PHI is no longer considered as PHI ifall identifiers that can tie the information to an individual are removed. If the above identifiers are deleted the health information is thought of as de-identified PHI. For de-identified PHI HIPAA Rules no longer govern it.

Is WhatsApp HIPAA Compliant?

When WhatsApp revealed that it was introducing end-to-end encryption, it opened up the potential for healthcare outfits to use the service as a practically free secure messaging app, but is WhatsApp HIPAA compliant?

Many healthcare worker have sought an answer to the question is WhatsApp HIPAA compliant, and some healthcare workers are already using the text messaging app to share protected health information (PHI).

However, while WhatsApp does provide much more security than SMS messages and some other text messaging platforms, we are of the opinion that WhatsApp is not a HIPAA compliant.

Why is WhatsApp not HIPAA Compliant?

First, it should be remembered that that no software platform or messaging app can be 100% HIPAA compliant, because HIPAA compliance is not concerned with software. It is concerned with users. Software can allow HIPAA compliance and incorporate all the obligatory safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be disregarded by users.

HIPAA does not require that encryption be used. If a different, equivalent measure is used in its place, encryption is not required. Since WhatsApp now provides end-to-end encryption, this aspect of HIPAA is satisfied.

HIPAA also requires access controls to be configured – See 45 CFR § 164.312(a)(1). This is one area where WhatsApp cannot be seen as HIPAA compliant. If WhatsApp is downloaded to a smartphone, anyone with access to that smartphone will be able to access the messages in the user’s WhatsApp account, without the need to provide any usernames and passwords. That means any ePHI included in saved conversations would be viewable. Extra security controls may be downloaded on a smartphone to authenticate users before the device can be viewed, but even when those controls have been applied, alerts about new messages can often be seen without opening the App or unlocking the device.

HIPAA also necessitates the use of audit controls – See 45 CFR § 164.312(b). This is another facet where WhatsApp is not HIPAA compliant. Messages and attachments are saved to the device itself, although they can easily be erased. WhatsApp does not keep a record of messages that have been sent. That would mean that all data in the account would need to be backed up and retained. At present, if you switch phones, your account will be preserved, but your messages will not be restored.

Then there is the problem of what takes place regarding ePHI in a WhatsApp account on a personal device if the user leaves their role in the company. Controls would need to be included to see to it that all messages containing ePHI are permanently deleted. That would be a logistical headache for any covered outfit, as it could not be completed remotely, finding messages would be next to impossible, and users would likely object to their WhatsApp being unavailable.

There has been some discussion regarding whether a business associate agreement would need to be completed with WhatsApp. As all data sent using through WhatsApp is shared via an encrypted tunnel, WhatsApp could be considered to be a simple conduit for information. As such, a business associate agreement would not be an obligation. Some companies that provide messaging services have access to the key to decrypt data sent in encrypted messages, and will adhere with law enforcement requests and share information if they issued with a subpoena, court order, or search warrant.

While WhatsApp will adhere with requests like this, the terms and conditions state that access to the content of messages will not be given to law enforcement, only simple account details. WhatsApp says the information that would be shared, “May include “about” information, profile photos, group information, and address book, if available. WhatsApp does not store messages once they are shared or transaction logs of such delivered messages, and unsent messages are removed from our servers after 30 days.” However, what is not known is whether WhatsApp holds a key to unlock the encryption, and whether messages could be accessed. Were this to be so, a business associate agreement would likely be necessary.

So, in our opinion, WhatsApp in its current form is not HIPAA compliant. When it comes to WhatsApp and HIPAA compliance, the service cannot be deployed as a method of sending ePHI without possibly breaching HIPAA Rules.

What is a HIPAA Violation?

The Health Insurance Portability and Accountability Act of 1996 was enacted to make the management of healthcare easier, cut wastage, reduce healthcare fraud and see to it that healthcare workers could maintain healthcare coverage when moving between jobs.

There have been a number of major updates to HIPAA legislation over since it was enacted. These were made in order to improve privacy protections for patients and health plan members and also help healthcare data remain safeguarded and the privacy of patients secure. Those amendments were known as the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.

A HIPAA violation is a failure to adhere with any part of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164.

HIPAA regulations, in total, make up 115 pages and include lots of provisions. There are no end of ways that HIPAA Rules can be violated, although the most common HIPAA violations include:

  • Impermissible sharing protected health information (PHI)
  • Unauthorized viewing of PHI
  • Improper destruction of PHI
  • Risk analysis not being conducted
  • Not managing the possible danger to the confidentiality, integrity, and availability of PHI
  • Failure to have in place safeguards to ensure the confidentiality, integrity, and availability of PHI
  • Maintenance and monitoring of PHI access logs not being performed properly
  • No HIPAA-compliant business associate agreement with vendors in place before allowing access to PHI
  • Copies of PHI not being given to patients on request
  • Not limiting who can view PHI using proper controls
  • Not disabling access rights to PHI when no longer required
  • The disclosure more PHI than is required for a particular task to be finished
  • Failure to provide adequate HIPAA training and security awareness training
  • Allowing patient records to be stolen
  • Unauthorized access of PHI given to individuals not authorized to receive the data
  • Sharing of PHI online or via social media without proper authorization
  • Mishandling and mismanagement of PHI
  • Texting PHI in any way
  • Not encrypting PHI or use an different, similar measure to prevent unauthorized access/sharing
  • Not notify for an individual impacted regarding (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
  • Recording of compliance efforts does not take place.

How are HIPAA Violations Uncovered?

Many HIPAA violations are first noticed by HIPAA-covered outfits during through internal audits. Supervisors may identify employees who have violated HIPAA Rules and employees often self-report HIPAA violations and potential violations by colleagues.

The HHS’ Office for Civil Rights is the main policer of HIPAA Rules and investigates complaints of HIPAA violations made known by healthcare workers, patients, and health subscribers. OCR also reviews all covered entities who report breaches with more than 500 records and conducts investigations into a number of smaller breaches. OCR also conducts audits of HIPAA covered outfits and business associates from time to time.

State Attorneys General may also initiate investigations into breaches and investigations are often conducted due to complaints about possible HIPAA violations and when reports of breaches of patient records are submitted.

What are the Official Penalties for Violations of HIPAA Legislation?

The penalties for violations of HIPAA Legislation can be high. State Attorneys General can sanction fines as high as $25,000 per violation category, per calendar year. OCR can also sanction financial penalties as high as $1.5 million per violation category, per year. Multi-million-dollar fines can be sanctioned from time to time.

Sanctions for for individuals who breach HIPAA Rules and criminal penalties may also be applied. A prison sentence for violating HIPAA is a possibility, with some violations carrying a penalty of up to 10 years.

What is the Purpose of HIPAA?

The Health Insurance Portability and Accountability Act – or HIPAA as it is usually referred to – is a game-changing legislative Act affecting U.S. healthcare, but what is the purpose of HIPAA?

HIPAA was originally passed in 1996, under the Clinton administration, to ensure that employees would continue to receive health insurance coverage when they were between jobs at separate companies. The legislation also required healthcare outfits to create controls to secure patient data to stop healthcare fraud from being carried out, although it took a number of years for the rules for doing so to be devised.

HIPAA also saw the implementation of many new standards that were intended to positively influence efficiency in the healthcare industry, requiring healthcare outfits to adopt the standards to reduce the amount of paperwork required. Code sets had to be employed along with patient identifiers, which helped pave the way for the simpler transfer of healthcare data between healthcare outfits and insurers, streamlining eligibility checks, billing, payments, and other healthcare workings.

HIPAA also makes illegal the tax-deduction of interest on life insurance loans, enforces group health insurance requirements, and regulates the amount that may be saved in a pre-tax medical savings account.

HIPAA incorporates the requirements of a number of other legislative acts, including the Public Health Service Act, Employee Retirement Income Security Act, and more recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Health Data Privacy and Security

HIPAA is now best known for safeguarding the privacy of patients and ensuring patient data is appropriately made safe, with those requirements brought in with the HIPAA Privacy Rule of 2000 and the HIPAA Security Rule of 2003. The requirement for alerting individuals of a violation of their health information was introduced in the Breach Notification Rule in 2009.

The aim of the HIPAA Privacy Rule was to introduce limitations on the allowable uses and sharing of protected health information, stipulating when, with whom, and on what occasions, health information could be shared. Another chief purpose of the HIPAA Privacy Rule was to give patients access to their health data when they wanted it. The purpose of the HIPAA Security Rule is mainly to ensure electronic health data is properly secured, access to electronic health data is regulated, and an auditable trail of PHI activity is kept.

What is Considered PHI under HIPAA?

PHI is data that is secured by the legislation known as HIPAA. It includes all health information that can be linked to a person, which under HIPAA means protected health information that has one or more of the stated 18 identifiers listed below.

It (PHI) only refers to data held on patients or health plan users. It does not refer to information stated in educational and employment histories, such as includes health information held by a HIPAA covered entity in its duty an employer.

PHI is only defined as PHI when an individual could be identified from the data provided. If all identifiers are deleted from health data, it is no more though of as protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.

If one ore more of these 18 identifiers are stripped away then the information is not longer thought of as PHI.

How Must HIPAA Protected Health Information be Safeguarded?

The HIPAA Security Rule states that all HIPAA covered entities must bolster their security to avoid reasonably expected threats infiltrating the security of PHI. Covered entities must use strong security measures safeguards to ensure the confidentiality, integrity, and availability of PHI. HIPAA is not technology specific and the exact safeguards that should be used are left up to the covered entity to choose.

HIPAA semands that physical, technical, and administrative security measures and softwares to be used. Technologies that provide encryption software and firewalls are classified as technical safeguards. Physical security measures for PHI data include keeping physical records and electronic devices that store PHI under lock and key. Administrative measures include setting access controls to manage who can view PHI information and conducting security awareness training.

Why Must HIPAA Be Protected?

If you are employed in healthcare sector or wish to do business with healthcare clients with the need for access to health data, you are obligated to adhere with HIPAA rules. The HIPAA Security Rule demands that safeguards be used so that the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places restrictions the uses and transmission of PHI.

Should you violate any part of the HIPAA Privacy and Security Rules and you could be hit with a financial penalty. Criminal convictions are even possible for HIPAA breaches. Claiming you were not aware of HIPAA law is not a valid argument should this happen.