According to the National Library of Medicine, the leading cause of personal health information leaks isn’t hackers—it’s poor security and negligence from individuals authorized to have it. In fact, unintentional insider threats account for more than twice of those caused by malicious intent, like cyberattacks1.
This startling finding emphasizes the importance of keeping protected health information (PHI) under strict lock and key—not just for healthcare providers but also for employers. This is especially true if you manage your employees’ health benefits and are responsible for tasks like reimbursing their medical expenses through a health reimbursement arrangement (HRA).
But how do you know which employee health information needs protection, and how do you keep it safe? This article will explain what PHI is and how to stay compliant.
Takeaways from this blog post:
- Protected health information (PHI) is personally identifiable sensitive health data. The federal HIPAA Privacy Rule regulates PHI to ensure confidentiality and security.
- PHI can be in various forms, such as electronic health records, account numbers, and biometric identifiers. Covered entities must protect it to prevent unauthorized access.
- Employers and medical professionals can keep employees' PHI safe by implementing written privacy procedures, administrative safeguards, employee training, and encryption of electronic health records to prevent misuse of PHI.
Protected health information (PHI) is the demographic information, medical histories, laboratory results, physical and electronic health records, mental health records, insurance information, and other data that a medical professional collects to identify an individual and determine appropriate care.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal protections for PHI. It outlines regulations for keeping individuals’ PHI safe and undisclosed to those not authorized to view it.
The HIPAA Privacy Rule protects “personally identifiable health information,” which the law considers PHI2.
If health data includes any of the following identifiable information, it’s considered PHI:
PHI applies to all past, present, and future health status information that’s handled by any covered entity—be it an individual, organization, or agency—in any form.
For example, when someone transfers, receives, or saves PHI in an electronic record, such as an email, digital file, or computer, that’s called ePHI. All the HIPAA Privacy Rules still apply no matter what medium hosts the information.
Many people think all personal health histories and related information is PHI under HIPAA, but some exceptions exist.
PHI is determined based on who records the information. For example, mobile health trackers, like wearable devices or mobile apps on electronic devices, can record health information with common identifiers, such as heart rates or blood pressure.
However, this data would only be PHI under HIPAA if a healthcare provider records information or a health plan uses it. Suppose the device manufacturer or health app developer doesn’t have a business associate agreement with a HIPAA-covered entity. In that case, the data the app records isn’t considered PHI.
Data isn’t PHI if it’s stripped of all personal identifiers that can tie the data back to an individual. If you remove the identifiers, the health information becomes de-identified data, and HIPAA Rules no longer apply.
Medical professionals commonly use PHI to track medical information during a patient's life, so physicians have the background they need to understand a person's medical condition and administer proper patient care.
Clinicians and research scientists also use PHI to study healthcare trends. Individuals can also use anonymized PHI to create value-based care programs that reward providers for providing quality healthcare services.
HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 limit the types of PHI healthcare providers, health insurers, and their business associates can collect from people.
Those regulations also limit what those healthcare professionals can do with the data they receive, like how they can share it so that patient privacy is kept secret.
The HIPAA Privacy Rule applies to any HIPAA-covered entity, including medical providers, health insurers, and healthcare clearinghouses. These rules also apply to employers operating in one or more of these capacities if they’re in charge of administering a health benefit like an HRA.
HIPAA defines and limits the circumstances in which covered entities may use or disclose an individual’s PHI. An employer can’t use or disclose PHI except as the Privacy Rule permits or requires or as the individual who is the subject of the information (or the individual’s representative) authorizes it in writing.
There are many ways for PHI to end up in the wrong hands. For example, a leak can happen if devices storing PHI are lost or stolen. Hackers and cybercriminals are interested in PHI because it contains personal and identifiable health information.
Another way a leak could occur is if someone at your company or healthcare organization accidentally discloses an employee’s PHI to an entity without proper approval. Even something as simple as forgetting to shred documents can lead to a breach.
If any of the above happens, your organization can have hefty consequences. The penalties for HIPAA noncompliance can range from $100 to $50,000 per individual violation, depending on the severity of the perceived level of negligence.
If the situation is severe, some violations can even result in jail time for those responsible for disseminating the information. This is why organizations must keep PHI safe.
“We enforce multi-factor authentication to add an extra layer of security [for digital medical records],” said Bryan Wright, owner of Wright Physical Therapy. “This minimizes the risk of unauthorized access even if login credentials are compromised. Regular audits and staff training sessions keep everyone updated on best practices for PHI protection.”
Even though your organization may not be a healthcare operation, you need to take PHI seriously as an employer. If you’re offering a health benefit like an HRA, it’s your responsibility to keep any of your employees’ PHI safe so that it’s not shared or viewed by those who aren’t authorized to see it.
Here are just a few ways to keep your employees’ PHI secure:
“We store paper records in locked cabinets accessible only to authorized staff,” Wright said. “Our server rooms are restricted to essential personnel, reducing the risk of internal breaches. We also employ a comprehensive exercise regimen to help maintain a high level of service quality while ensuring our practices are up-to-date with current security standards. This combination of digital and physical security measures ensures that we provide the highest level of protection for our patients' sensitive information.”
Some employers offer a health stipend instead of a formal health benefit. With a health stipend, you give your employees a fixed amount of money to purchase insurance and other healthcare products and industry services. You typically add this stipend to your employees’ paychecks as wages. Because the IRS considers the money extra income, it’s taxable at the end of the year.
With a health stipend, you can’t require your employees to submit documentation of what they used their stipend on, including premium payments they make to health insurance companies or other out-of-pocket medical expenses. You simply provide the stipend, and they can spend the funds on whatever they choose. Therefore, your employees’ PHI will be safe from prying eyes if you offer this type of health benefit.
However, stipends—unlike HRAs—don’t give employers much control over what their employees spend their benefit funds on. If you’re self-administering an HRA, you may come in contact with your employees’ PHI during certain times, such as reviewing their documentation for reimbursement requests. Any improper self-administration could result in fines or breaches.
With PeopleKeep’s HRA administration software, we review and securely store your employee’s documentation and help you navigate HIPAA compliance regulations so you don’t have to worry about PHI errors or self-administration pitfalls.
Understanding PHI and how to protect it can help you avoid hefty penalties for compliance violations. Staying on top of patient privacy rules and compliance regulations within the healthcare industry can seem daunting when offering a health benefit, but you don’t have to go it alone.
PeopleKeep’s HRA software and award-winning customer support team help thousands of organizations nationwide administer their HRAs compliantly with both state and federal regulations every day.
This article was originally published on September 23, 2021. It was last updated on June 21, 2024.
1. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9123525/
2. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html