The Protection of Personal Health Information (PHI) – By Dr. Mark Kestner

In the field of healthcare, providing excellent care to patients is the priority for providers, but doing so involves more than just treatment. Because healthcare providers frequently deal with highly-sensitive information, handling patients with confidentiality and respect is an integral part of establishing trust with them.

Healthcare organizations must be constantly cognizant of protecting this health information, or there could be serious consequences.

What is PHI?

Personal/protected health information (PHI) is defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as health information stored by a HIPAA-covered entity — such as a healthcare provider, insurer, or clearinghouse — and is identifiable to the patient. There is a list of identifiers, including anything from names and photos to health plan numbers that, when associated with medical data, transmute it into PHI.

HIPAA protects patients by setting rules and limits on who can access their protected health information through any means, whether electronic, written, or verbal. This act was passed on the principle that a patient’s health information is their own, and that they should have the right to determine who should and shouldn’t access it.

Everyone is responsible for protecting PHI

Because of the sensitive nature of the PHI protected under HIPAA, it is paramount that everyone in medical workplaces take appropriate care to protect patients’ privacy. Failure to do so could result in catastrophic consequences. “If a patient or patient’s family member submits a complaint, it could prompt a review, potential fines, and loss of accreditation,” explains Dr. Mark Kestner, Chief Innovation Officer at healthcare technology solutions company MediGuru. “Healthcare organizations are very serious about this.”

Indeed, due to the gravity of the situation, every team member has to undergo mandatory annual HIPAA training. “Every member of the team has a responsibility to protect patient information,” Dr. Kestner asserts. “Even if you don’t have direct access to a patient’s medical record, something as simple as discussing a patient’s condition in a public location could be deemed as a HIPAA violation.”

As such, it is often the responsibility of everyone on the healthcare provider’s team to police the workplace environment and ensure patient protection. Healthcare providers are still human, after all; they can make mistakes, but it is important that every team member remind each other of their mutual responsibility to protect both their patients and their practice.

Creating this secure environment for patient information also extends to people who may not be aware of HIPAA regulations. “Patients’ visitors might not understand that the topics they are discussing are something that is in violation of the patient’s privacy rights,” explains Dr. Kestner. “If that information is unwittingly passed to a stranger, you wouldn’t want that to come back to bite you if the patient files a complaint.”

How to protect patients’ PHI

A general principle to adhere to is that patient cases should never be discussed in public places like lobbies, cafeterias, or parking lots. To remedy this issue, healthcare facilities should have workstations and work rooms where sensitive and protected PHI can be discussed without violating the privacy rights of the patient. This is the most basic measure a healthcare facility can implement to protect patient privacy.

Medical records should also be kept in a protected environment where access is limited. In the days of paper medical records, this meant keeping medical records stored in a room where only the people who needed access to them were permitted to enter. However, with the medical industry becoming increasingly digitized in recent years, the way medical records are secured is evolving.

For example, the Electronic Health Record (EHR) of patients should be password-protected and available to be audited. As with any form of PHI, the only people who should be able to access these records are those who require them to optimize patient care. Having people access patient medical records unnecessarily could present a risk of HIPAA violation.

Healthcare providers should be keeping precise track of what information is being accessed by whom and why. “If questioned, a member of the healthcare team needs to justify why they were in the record,” Dr. Kestner said. “It is often the risk management team that conducts this questioning, but it is still the responsibility of each member of the team to ensure that they are only accessing sensitive information when necessary.”

PHI and new health devices

Due to the advent of new health devices, PHI and HIPAA are no longer as black-and-white as they used to be. Several health devices, such as remote monitoring devices, are now being sold direct-to-consumer and are collecting patient data. Some patients, understandably, have expressed concern about whether or not their PHI is secure when using this new technology.

“Anything not connected to your EHR is suspect,” explains Dr. Kestner. “If the data from the device is being stored with your healthcare provider, you know it is protected under HIPAA. The same protections afforded to you under the act apply to the data collected by that device.” However, if the data is being stored by a third party, as opposed to a HIPAA-covered entity, a patient’s information might actually be classified as unprotected data.

One interesting case is the use of watches and fitness trackers to collect medical data like vitals. While these can be an essential tool in understanding a particular patient’s personal wellness — keeping track of their pulse rate can alert them if something is wrong and in need of immediate medical attention — the environment in which this data is being collected isn’t the most reassuring.

As health data continues to be collected from more sources, the lines between secure and insecure are becoming more and more blurred. Health and fitness tracking apps are not considered HIPAA-covered entities, so long as they do not provide healthcare, but if a healthcare provider uses this data, it’s not as clear-cut exactly where HIPAA laws and regulations come into play. In any circumstance, when it comes to PHI, it is always best to err on the side of caution.

PHI has always been a complex issue, but new technological innovations make the discussion even more nuanced. Ultimately, healthcare providers have a legal and moral responsibility to protect their patients’ privacy and protect their sensitive information. Even as the lines of what is and isn’t protected, and specifically who HIPAA applies to are made less clear, healthcare providers must take care to protect this information.

Editor’s Note: Mark Kestner, MD is Chief Innovation Officer of MediGuru. He has extensive executive leadership experience in the military, university systems, integrated delivery systems and particularly in community-based healthcare systems.