Medical community challenge:
In a business environment where resources are limited, compliance requirements abound, and budgets are constantly challenged to meet cost containment targets, the complexity of the regulations your business is obligated to comply with can present a challenge. This challenge becomes even more difficult within the dynamic environment of hospitals, doctors’ offices, and all supporting elements of the medical profession. One of the key elements of facing this challenge is understanding what defines Protected Health Information (PHI) and what qualifies an organization as a HIPAA Covered Entity.
In broad terms, PHI is information that deals, or is associated in any way, with medical details or medical records of an individual. For the term “Electronic Protected Health Information” (ePHI), the definition doesn’t change much, as it simply encompasses the information or data being maintained in an electronic format, as on a computer or any other digital device. To clarify PHI more precisely, the privacy rule states it is “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”. Most people respond with “wow, that sounds like it covers a lot” – which is does. Not only is the health-centric data covered by HIPAA, but so is data that directly identifies a person, or a “personal identifier”. To help get our arms around this topic, we can gain understanding of what HIPAA considers as a personal identifier by reviewing a section of the regulation (Sections 164.514(b) and(c)) for the Privacy Rule. What we can see is that HIPAA considers the following 18 data points as personal identifiers:
- Names
- All geographical data smaller than a state
- Dates (other than year) directly related to an individual
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol (IP) addresses
- Biometric identifiers (e.g., retinal scan, fingerprints, etc.)
- Full face photos and comparable images
- Any unique identifying number, characteristic, or code
Keep in mind the above is not an exhaustive list, as it is the definition by HIPAA that drives what can be considered a personal identifier. What should be understood is that this is a starting point for the listing of what needs to be considered when looking to secure and keep private the PHI and ePHI within your organization. These are the data sets that need to be located and tagged so that they can be properly secured. A good methodology is to review the official definition and decide if a particular data element qualifies as protected under HIPAA. It is advisable to err on the side of caution and include data that “could be” viewed as sensitive, because making the wrong determination can easily lead a company to having to pay HIPAA fines and penalties. Despite the small possibility that some data could have an extra layer of protection with this broader approach, it likely is a small price to pay when considering the potential fines and penalties – as was seen with Anthem Inc, reported to have paid $115 million to settle lawsuits over its HIPAA information breach.
This brings us to the next key element for HIPAA – which organizations are obligated to adhere to HIPAA, and am I one?
Here again, we see that HIPAA protections apply to a wide array of organizations and businesses – obviously, these entities are linked to, or perform some activity, with health information. It is the connection with data that brings in the HIPAA regulation and its requirements, as described below. The organizations that deal with medical data are officially termed as “covered entities”. Any contractors, vendors, or 3rd party relationships with a covered entity that involves PHI or ePHI fall under the official term of “business associates”. The requirements of HIPAA extend to business associates, through the covered entity, and are required to be clearly defined within the Business Associate Agreement (BAA). The BAA is to be a component of the contractual agreement between the two organizations.
For clarity on what qualifies as a covered entity:
Covered entities are the individuals, institutions, or organizations that maintain patient healthcare or payment information or would reasonably be expected to come into contact with PHI in the course of their daily duties – mostly, healthcare providers, health plans, and healthcare clearinghouses. Examples of covered entities include:
- Healthcare Providers – Providers who submit HIPAA transactions, like claims, electronically are covered. These providers include, but are not limited to, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies. Healthcare providers are defined generally as “providers of services” (i.e., part of an institution, such as doctors or hospitals) and “providers of medical or health services” (i.e., such as physicians, dentists and other practitioners) as defined by Medicare. Included here are other persons or organizations that furnishes, bills, or receives payment for the provision of healthcare services.
- Health Plans – For HIPAA purposes, health plans include health insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, and government programs that pay for health care, like Medicare, Medicaid, and military /veterans’ health programs. Health plans include health, dental, vision, and prescription drug insurers, HMOs, Medicare, Medicaid, Medicare+ Choice, Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies).
- Healthcare Clearinghouses – Clearinghouses include organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations. Healthcare clearinghouses include billing services, repricing companies, community health management information systems.
What about 3rd party vendors? If a 3rd party is engaged by a covered entity, then a Business Associates Agreement (BAA) is required, per HIPAA. A BAA is a focused document that addresses the requirements of HIPAA and acknowledges that the business relationship between the two parties will involve PHI or ePHI. To help define where these components apply, here is a more detailed explanation of a Business Associate:
A Business Associate is a person or entity, other than a workforce member, who performs certain contractual functions or activities for a covered entity, or provides certain services to a covered entity, when those functions involve the access to, or the use or disclosure of, PHI. Per HIPAA, Business Associate functions or activities include (but not limited to) creating, receiving, maintaining, or transmitting protected health information for a functions including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing.
It should be clear that the protections for HIPAA-defined medical information and data follow that data, no matter where it resides or who handles it. If your organization has any dealings or contact with medical companies or entities, and you do not have HIPAA protections in place, it would be worthwhile to perform a thorough review to be certain. That review should be fully documented and put forth to proper legal counsel to consider and make a definitive conclusion as to the obligations your company has under the HIPAA regulation.
Too often organizations seem to not have a good understanding of what data they have within their systems, and this leads to a lack of knowledge as to what legal obligations a company has committed itself to. Don’t let this happen to you – leverage the knowledge presented here, along with the information that is publicly available to make a clear determination as to what information security protections your company needs.