Protecting PHI In a Digital World

Data breaches in the healthcare sector are a regular occurrence, and show no sign of stopping in the near future.

Steven Krohn

Data breaches in the healthcare sector are a regular occurrence, and show no sign of stopping in the near future. Ransomware and Malware have become the weapons of choice to target Protected Health Information (PHI), and robust security measures are needed to combat them.

It’s not hard to see why PHI is so incredibly valuable to thieves. PHI includes

  • General identifying information about the individual
  • Information about their past, present, and future physical or mental health
  • Information about specific healthcare they have received
  • Who has provided that healthcare
  • Financial information pertaining to the provision of healthcare

This information gives someone access to prescription medication, medical care, and the owner’s financial information. On the black market or dark web, PHI will get you more money than someone’s social security number.

Protecting PHI must strike a fine balance between making the information accessible to those who need it, while keeping it safe from those who would seek to steal it and exploit it.

Protecting PHI in a digital world

When the HIPAA Privacy Rule was first conceived, protecting sensitive patient data amounted to little more than ensuring filing cabinets had locks on them, and that those cabinets remained locked at all times. You could only open the cabinet to remove or replace a file.

This is still the case where paper files are used, but PHI is becoming more and more digital. In 2011, the American Health Information Management Association (AHIMA) released guidance on the definition of a legal health record:

"The legal health record is the documentation of healthcare services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization.

An organization's legal health record definition must explicitly identify the sources, medium, and location of the individually identifiable data that it includes (i.e., the data collected and directly used in documenting healthcare or health status)

The documentation that comprises the legal health record may physically exist in separate and multiple paper-based or electronic systems."

Electronic Protected Health Information requires 

  • Firewalls
  • Anti-virus software
  • Data encryption

to name just a few things. The definition of “unsecured” protected health information is defined by the Human Health Services as

“…protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”

Defining data breaches

Data breaches are not simply defined as “someone accessed information”. There are a few aspects to formally determining whether a data breach occurred, rather than a data security incident.

  • Was PHI involved?
  • What identifiers were in the data?
  • Can the information breached be tracked back to specific individuals?

After that, the organization must pinpoint the unauthorized individual responsible for the breach. If the information is in a hospital, they would need to find if the person who accessed data was authorized to do so or not.

It must also be determined whether the data was actually acquired or viewed. Properly secured data should be unusable, unreadable, or indecipherable to any unauthorized user. If the data was properly secured, it’s possible for there to have been a security breach without compromising the PHI.

The HHS identifies three exceptions to a “breach”:

  • Unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity if such acquisition was in good faith and within the scope of authority. For example, a doctor asking someone who is not themselves authorized to get a patient file for them.
  • Inadvertent PHI disclosure between authorized individuals. For example, a doctor inadvertently disclosing PHI information to a hospital that is authorized to access PHI from their facility.
  • If the covered entity or business associate has a good faith belief the unauthorized person would not have been able to retain the information.