All organizations covered under the Health Insurance Portability and Accountability Act (HIPAA) are mandated to safeguard PHI. As such, in order to remain HIPAA compliant, healthcare organizations need to know precisely what is considered PHI.

What is PHI?

PHI stands for protected health information. In simple terms, PHI refers to any piece of information that a healthcare provider stores in patient medical records that can be used to personally identify an individual.

What Is PHI Under HIPAA?

Any individually identifiable health information that is used, stored, or transmitted by a HIPAA covered entity is considered PHI under HIPAA.

This includes any information that relates to the provision of healthcare or payment for healthcare services – such as health records, health histories, test results and billing information.

To be clear, a HIPAA covered entity is any healthcare provider, health plan, health insurer, or healthcare clearing house.
In addition, any business associate of a HIPAA covered entity that uses, stores, maintains or transmits health information or PHI on behalf of the covered entity is also mandated to safeguard that information under HIPAA Rules.

To ensure HIPAA compliance, business associates must sign a business associate agreement (BAA) with the healthcare provider, which stipulates who is responsible for safeguarding PHI in line with the HIPAA Security Rule and the HIPAA Privacy Rule.

What Are the Individual Identifiers for PHI?

Individual identifiers are pieces of information that match any health-related information with an individual.

(Image source: totalhipaa.com)

The most common examples of individual identifiers include:

• Patient name
• Address (anything smaller than a State, such as street address, city, county, or zip code)
• Dates (excluding years) that are directly related to an individual, including date of birth, date of death and date of admission or discharge
• Telephone and fax numbers
• Email address
• Social Security number
• Medical record number
• Account number
• Certificate/license number
• Health plan beneficiary number
• Vehicle identifiers, such as serial numbers or license plates
• Web URLs
• Device identifiers or serial numbers
• IP address
• Biometric identifiers such as fingerprints, retinal scans or voice prints
• Full face photographs
• Any other unique identifying number, characteristic, or code

When health information contains any one or more of these identifiers, that information becomes PHI – and must be adequately protected through technical, physical and administrative safeguards as stipulated in the HIPAA Security Rule.

Electronic Protected Health Information (ePHI)

Importantly, HIPAA Rules apply to both paper and electronic health information.

When PHI is created, used, shared or stored electronically – such as in an electronic health record (EHR) – it is known as electronic protected health information or ePHI.

Both the Privacy Rule (which limits uses and disclosures of PHI) and the Security Rule (which addresses the technical, physical and administrative safeguards healthcare organizations must have in place) apply to PHI and ePHI in equal measure.

ePHI and Cloud Storage

Today, nearly all HIPAA covered entities deal with ePHI.

As such, in order to comply with the Security Rule and avoid HIPAA violations, HIPAA covered entities must, according to the legislation, “Establish and implement procedures to create and maintain retrievable exact copies of electronic Protected Health Information.”

In addition, healthcare organizations must establish a data disaster recovery plan to “restore any loss of data in the event of a cyberattack, system outage, or damage to computers/servers where ePHI is stored.

Healthcare providers essentially have two options in this regard – implement and maintain their own data backup and recovery storage facility (an expensive, complex and time-consuming affair), or utilize the professional services of a cloud storage provider (by far the most reliable and cost-effective option).

When selecting a backup and recovery provider, however, it’s important to remember that not all cloud storage solutions are created equally.

Different providers offer different levels of support and service.

Some simply provide a software solution, rather than a full service to help you meet your HIPAA requirements.

Many popular data storage services – including Dropbox, Amazon Web Services (AWS) and Google – do not provide out-of-the-box HIPAA compliant cloud storage by design.

It is possible to use these solutions to store ePHI in a HIPAA compliant way – however, it is down to you to configure the respective systems yourself to ensure you meet the requirements of the legislation.

Other services, including WeTransfer and Apple iCloud, will not sign a BAA with HIPAA covered entities and so must be avoided altogether.

The best solution, therefore, is to work with a HIPAA compliant backup and data recovery specialist – one that provides not only software, but a full-service including data storage support and ongoing guidance for best practices regarding ePHI protection and HIPAA compliance.

At WisperMSG, not only are our cloud backup and recovery solutions amongst the most secure in the industry, but you will also work hand in hand with friendly experts who make it their business to ensure your ePHI is always protected and recoverable.

Our HIPAA compliant cloud storage specialists will help you develop policies, procedures, training programs and disaster recovery plans to make sure your whole business is in full compliance with HIPAA and your ePHI 100% recoverable in the event of a data disaster.

Our clients put it best:

“We chose to work with WisperMSG because as a dental clinic we needed to not only ensure our data was backed up and available, but that it was HIPAA-compliant at all times. The WisperMSG team have been great to work with – very friendly, always on hand to help and clearly experts when it comes to data recovery management. Thank you.“

Dr. Condello @ Oceans Dental

---

Try WisperMSG free for 7 days here.