If you are accidentally disclosing Patient information, also known as PHI, you are causing a data breach for your healthcare organization. Any data breach requires several processes to be followed for breach notification, as per the HIPAA Breach Notification Rule.
PHI stands for Protected Health Information.
The HIPAA Privacy Rule defines PHI as individually identifiable health information that is transmitted or maintained in any form or medium that includes electronic, oral or paper by a covered entity or its business associates. The Privacy Rule gives patients an array of rights with respect to that information. Privacy Rule is balanced so it permits the disclosure of personal health information needed for patient care.
18 Patient-Specific Identifiers Known As PHI
The below specific patient Identifiers are considered PHI. When these identifiers are included in any electronic media, it is referred to as ePHI:
- Geographic data (except for the initial three digits of a zip code)
- All elements of dates
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol addresses
- Biometric identifiers (fingerprints, retinal scans)
- Full face photos and comparable images
- Any unique identifying number, characteristic or code (except the unique code assigned by the investigator to code the data)
Seemingly harmless situations where a breach may be caused:
Let’s consider some examples:
A nurse has access to the computer which is attached to the wall in the exam room. She enters all the patient information and reason for the visit. She then leaves the exam room with the computer unlocked, as doctor will see the patient momentarily.
A nurse carrying a Tablet or Laptop to take the patient vitals. She enters all the results on the mobile device and asks the patient to wait for the Doctor. She closes the door and the patient is alone with the unlocked mobile device, until the doctor shows up.
While both incidents appear well intended, the truth is that in both scenarios, while seemingly unintentional, there is a violation of HIPAA law. The patient could gain access to the computer or mobile device. Such infractions come with serious consequences. This can lead to disciplinary action against the employee(s) or the practice involved.
What if the mobile device or laptop had a USB flash drive with PHI on it? What if it is lost or stolen?
Lost or stolen unencrypted USB flash drives could be considered accidental & unintentional HIPAA violations as nobody intended for the USB flash drives to be lost or stolen. However, the loss or theft could have been reasonably foreseen and potential breaches of ePHI avoided by encryption and secure storage.
Precautionary steps you can implement to protect PHI:
- Lock the Computer or Mobile Device.
- Keep the mobile device accessible to staff only. Lock the device or its display when not in use.
- Set automatic computer or mobile device log off or screen lock after a short time period in accordance with your office's policies and procedures.
- Use unique user IDs to log on to the device and use a strong password.
- Protect the mobile device screen from others view.
- Use a Privacy Screen.
- Encrypt USB Drives and mobile devices to secure patient data in case the device is lost or stolen.
- Store USB Drives and other electronic storage devices in locked cabinets when not in use.