PHI is protected by HIPAA. PHI is any health information that can be linked to a person, which under HIPAA means protected health information that includes one or more of the below listed 18 identifiers.
PHI only refers to information on patients or health plan subscribers. It does not incorporate information stated in educational and employment records, that includes health information held by a HIPAA covered entity in its role an employer.
PHI is only considered PHI when an individual could be identified from the information. If all identifiers are stripped from health data, it ceases to be protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.
If these the 18 identifiers are taken away then the information is not longer thought of as PHI.
How Must HIPAA Protected Health Information be Safeguarded?
The HIPAA Security Rule states that all HIPAA covered entities must protect against reasonably expected threats to the security of PHI. Covered entities must adapt safeguards to ensure the confidentiality, integrity, and availability of PHI, although HIPAA is not technology specific and the precise safeguards that should be put in place are left to the discretion of the covered entity.
HIPAA requires physical, technical, and administrative security measures and systems to be implemented. Technologies such as encryption software and firewalls are included in the technical safeguards. Physical security measures for PHI data include keeping physical records and electronic devices including PHI under lock and key. Administrative measures include setting access controls to limit who can view PHI information and conducting security awareness training.
Why Must HIPAA Be Protected?
If you work in healthcare or are proposing doing business with healthcare clients with the need for access to health data, you are required to comply with HIPAA law. The HIPAA Security Rule demands that safeguards be implemented to ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places limits the uses and sharing of PHI.
If you breach any part of the HIPAA Privacy and Security Rules and you could be financially penalized. Criminal penalties are even possible for HIPAA violations. Saying you were unaware of HIPAA law is not a valid defense.