Every time whenever you walk to a private doctor or into a private hospital, you are leaving behind a large information about yourself there. This set of information is quite important and you do not want this information to be disclosed. Sometime, you may make some personal disclosure to your private doctors, which you don't want to share with anybody else.
There is a law in US known as HIPAA that lays down some rules for protecting your privacy and for security of your data. Though you may feel that in your localized environments there is no much concerns similar to this, you still need to know some finer points if you intend to become a full-fledged cybersecurity professional. You never know if you get your next job or assignment of working for/with a hospital. So, do not refrain from knowing about these..., as I am focusing exclusively on PHI here.
When HIPAA came into being in 1996, one of its objective was to ENSURE that all patients' private information is secured. It made mandatory for hospitals & medical practitioners to enact a system of protecting the sensitive information of patients that was stored within hospitals and in patient-records. Those records had to be protected, and authorization methods had to be standardized to ensure fraudulent behavior wasn’t occurring. This had become especially true as health records became more and more digitized.
HIPAA brought in everything from implementation to auditing bodies to penalties and enforcement. But everything was and is still centered around Protected Health Information (PHI).
-
What is PHI?
Protected health information consists of anything to do with your current health status, medical records, payment information, payment history, and any general information that you submit to your healthcare provider. All of this is considered sensitive information and holds value.
-
18-IDENTIFIERS OF PHI
Before I mention these identifies, you must observe these instructions first.
A. If any of the following identifiers show up on a record, then the information is considered protected under HIPAA.
B. The information contained below regards the patient AND the family members, relatives, household members, and employers of the patient.
C. In order for healthcare organizations (healthcare entities) and their business associates to exchange health information — which is inevitable and necessary — they must remove these identifiers prior to transfer.
I am sure that now you are ready to get full hold of 18-Identifiers of PHI...
1. Name
2. Addresses that are considered “geographic subdivisions smaller than a state.” This covers street, city or county, precinct, ZIP, or any equivalent geographical marker or code.
3. Dates including birth date, death date, and admission and discharge date. The only part of the date that is not covered is the year.
4. Phone number
5. Vehicle information, including physical descriptors, serial numbers, license plates, etc.
6. Fax number
7. Device identifiers and serial numbers
8. Email address
9. Web URLs identifying patient and related members
10. Social security number
11. IP address
12. Medical record number
13. Biometric identification including fingerprints, voice identifiers (cadence or tone), signature, DNA
14. Health plan beneficiary number
15. Full-face photographs, videos, and any similar content
16. Account number
17. Other identifying numbers, characteristics, and codes.
18. License number and certification number
Some exceptions are also identified here:
Identifiers-2: It does not cover the first 3 digits of the ZIP when the combined population of all ZIP codes with the same initial 3 digits includes over 20,000 people. But if the combined population of all ZIP codes includes less than 20,000 people, the first three digits must be changed to 000.
Identifier-3: Dates as they refer to age 'Ages over 89' and all dates (including the year) that would designate someone to be 90 or older are considered PHI. The exception is that elements of this information may be categorized as “age 90 or older,” to avoid giving away specifics.
Identifier-17: Codes that are not related to or derived from the patient or information about the patient and do not compromise the patient’s identity upon exchange of PHI. This extends to the process by which the code is related to the patient — this must not be disclosed.
-
The HIPAA & HITECH (2009) demands that all these 18-identifiers must be de-identified.
De-identification is a process that needs to be undertaken prior a healthcare entity exchange it with its business associates or any other organizations for that matter.
The reason is that HITECH extended the scope beyond the healthcare organization and protects the health information through the course of its exchange. This means, once the information is out of the hands of the healthcare organization, they are still liable for its protection.
For this reason, many healthcare organizations require their business associates to use the same security framework and organizational techniques to ensure proper security practices.
-
2-METHODS of De-identification
The Health and Human Services (HHS) offers two processes of de-identification. Satisfying either of these two processes’ requirements allows for the transfer of health records.
1. The Expert Determination Method
This method uses statistical analysis and generally accepted scientific principles to ensure the information provided will not identify the patient. There must be a “Statistically Insignificant” chance of recognizing the patient with one identifier or a combination of health identifiers. This requires experience with these principles and knowledge of the various markers above.
The HHS also requires healthcare organizations to document the procedures by which the analysis determined such a justification for information exchange.
If you find it hard to understand the above paragraph/method, it is ok.
2. Safe Harbor Method
The Safe Harbor Method removes all 18 identifiers for both the patient and related members to the patient from any and all exchanged documents. The HHS also requires that the healthcare organization or business associates do not have the knowledge of how the information could be used to identify the patient. In fact, all of above 18-identifiers were defined in Safe Harbor Method.
-
---------------
A Final Note:
---------------
Not all health information is PHI.
For example, many applications and devices are now being marketed to measure certain biometrics — think wristbands that record heart rate or blood pressure. If the company is not a HIPAA-covered entity or a business associate of a HIPAA-covered entity, this information is not protected.
Instead, these companies clearly declare under their “Terms of Service” -- what they can and cannot use your personal data for.
-
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
You can also share with all of us if the information shared here helps you in some manner.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM