Protected health information (PHI) is any information that must be secured to safeguard a patient’s healthcare privacy. Regulations require that covered entities — people or organizations that provide healthcare — protect information related to a patient’s past, present, or future physical or mental health. A patient’s health plan must ensure reliable, consistent protection of that patient’s PHI.
As defined under the Health Insurance Portability and Accounting Act (HIPAA) and its Privacy Rule, PHI is “individually identifiable information transmitted by electronic media, maintained in electronic media, or transmitted in any other form of media.”
The forms of information covered under PHI provisions have been steadily expanding over the past 20 years. The scale and scope of PHI will continue to increase as the technology advances to capture, store, and share PHI, and as the regulatory compliance environment evolves for patient confidentiality.
Protected health information is important because healthcare providers must protect the confidentiality of a patient’s healthcare data. Since much of PHI is highly personal, providers go to great lengths to ensure that the information is secure at all times.
There is a deep, implicit trust among healthcare practitioners, health maintenance organizations (HMOs), and their patients, who have the right to assume that healthcare organizations will properly secure their PHI.
This protection must take place throughout a patient’s experience and at any location where care is provided, such as a doctor’s office, a hospital, a remote clinic, or a telemedicine visit.
There are numerous regulatory compliance guidelines that carry penalties in the event of a PHI breach. The largest regulatory framework covering PHI is HIPAA. According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule “provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.”
The Privacy Rule also ensures a balance of rights and privileges to ensure that PHI is appropriately disclosed to provide patient care and related requirements.
Personal identifiable information (PII) covers any data that links a patient with personal identifiers, such as their demographics, driver’s license, and health insurance data.
PHI is a subset of PII that refers to information specifically shared with HIPAA entities. This can include the correspondence between a patient and their provider, billing records, digital scans from diagnostic equipment, and test results.
The HHS lists 18 specific PHI identifiers:
Electronic PHI (ePHI) is simply PHI in electronic/digital formats. This could be a PDF of a medical report or an online database of a patient’s medical history. ePHI is specifically called out in the HIPAA Security Rule. Within the rule, there is a subsection devoted to electronic healthcare data.
More patient information is created, stored, and shared in electronic formats today than ever. Healthcare providers must pay close attention to securing those digital records from end to end in the healthcare ecosystem.
The HIPAA Security Rule spells out requirements to protect the confidentiality, integrity, and availability (known as the CIA triad) of all ePHI. This includes identification and protection against anticipated threats to the safety and security of digital healthcare information. It also allows covered entities to put in place systems, procedures, and policies designed to ensure compliance with HIPAA guidelines set forth under the Security Rule.
The HIPAA Security Rule mandates specific steps covered entities must take to demonstrate compliance, thus ensuring trust between patients and providers when it comes to protecting PHI and ePHI. Those steps fall into three categories:
Administrative safeguards are intended to pinpoint and determine potential risks to PHI, and to put in place steps that reduce security risks and vulnerabilities. They also mandate that a security official be required to develop and implement the covered entity’s security rules and procedures.
Providers also are required to regularly assess how well their security policies meet the requirements of the HIPAA Security Rule.
Physical safeguards cover issues such as limiting unauthorized physical access to facilities while allowing authorized access to take place. Covered entities also are required to deploy policies and procedures covering the proper handling of electronically stored data and electronic media containing PII and PHI.
Technical safeguards are designed to ensure that only properly authorized persons can access digital records and other electronic information. This covers not only the hardware, software and services required to capture, store and manage healthcare and medical records, but also the security credentials and authentication procedures that govern access.
They also include encryption and other technologies designed to safeguard against improper access to PHI and ePHI over a digital network.
In recent years, the healthcare industry has seen a surge in cyberattacks targeting patients’ personal information. Malicious actors use tactics such as ransomware and extortion to achieve exorbitant payouts from providers — some even selling patient records to the highest bidders.
Healthcare organizations pay $1.41 million per ransom on average, according to Unit 42’s Incident Response Report 2022. And a data breach can cost up to $10.10 million, according to IBM’s Cost of a data breach 2022 report.
The HHS broadly defines a PHI breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” In a real-world setting, this can include a wide range of actions resulting in exposing PHI.
For instance, hackers who commit Medicare fraud or other insurance scams often unleash a variety of techniques designed to obtain PHI. Ransomware, identity theft, social engineering, credentials theft, phishing, and malware are all used to compromise unencrypted or under-protected personal devices.
Under HIPAA, there are four key elements to a PHI breach:
In most cases, PHI breaches resulting from unintentional actions, rather than malicious ones, are not considered to be HIPAA violations. Covered entities are strongly advised to check with their attorneys and compliance teams to ensure if a disclosure of PHI is a violation of HIPAA or other privacy guidelines.
The healthcare industry is undergoing a dramatic transformation on many fronts, including how, when, where and why healthcare provision takes place. Trends such as the rise of remote care, the increased number of smart medical devices (internet of medical things) and an increasingly complex and interconnected IT environment have combined to create a rapidly changing landscape.
To keep PHI secure, healthcare organizations and their partners/business associates need an experienced cybersecurity partner to design, build, trust, and monitor cybersecurity operations on an enterprise-wide basis.
When evaluating potential cybersecurity partners, chief information security officers and their colleagues should require several key capabilities:
Learn about how Palo Alto Networks is the cybersecurity leader of choice for hospitals and health systems around the world. Visit www.paloaltonetworks.com/healthcare.
PHI breaches can occur from multiple endpoints, including unsecured IoT devices and email-based phishing attacks. And those threats are evolving rapidly — especially with emerging attacks using machine learning and artificial intelligence.
A robust cybersecurity solution protects patient data on all fronts: network security, cloud security, and endpoint security. Organizations should have a next-generation firewall that protects from unwanted intrusions and data loss, while having the ability to automate incident response in the event of an attack. And for organizations with growing cloud workloads, tools like identity management and access control keep workers and their devices safe while connecting to their internal network.