Protected Health Information (HIPAA)

Protected Health Information (PHI) under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. 

To better understand the current state of HIPAA PHI data privacy download our presentation here...

Guiding Principles

• All repositories of PHI need to be located
• Access should be limited to those who absolutely need to know
• Access to PHI should be constantly monitored
• The amount of PHI should be minimized through masking wherever possible.

Key HIPAA Rules

• The Privacy Rule - covered entities must appoint a Privacy Official and have documented PHI procedures
• The Security Rule compliments the Privacy Rule with specifics for Electronic Protected Health Information (EPHI).
• Limits access to those with a need to know - all others should not have access to EPHI

For more details on the challenges with HIPAA data requirements download our presentation here...

How DMsuite™ Approaches the Problem

DMProfiler, a component of DMsuite™, is designed to locate and document all repositories of information in the enterprise, identifying those containing PHI.

DMGenerator masks the PHI in all environments without a need-to-know status.  The DMGenerator complies with HIPAA privacy and security rules when sharing patient/member data internally and externally.

DMCertify periodically evaluates and recertifies de-identified PHI to ensure that production data is not reintroduced into masked databases.

DMMonitor continually assesses PHI access, ensuring that only authorized personnel are accessing PHI. 

For more details on how DMsuite addresses HIPAA PHI requirements click here...

Breaches and Complaints

Since HIPAA rules were first implemented, the number of documented complaints has steadily increased.  Three of the top five privacy rule complaints received by the Department of Health and Human Services’ Office of Civil Rights (OCR) involve data privacy issues.

• Impermissible uses and disclosures –providing PHI to external partners
• Safeguards –PHI is not protected in computer systems
• Access  - PHI is accessible to those without a need to know

Ramifications

In one instance involving safeguards, a flaw in a national HMO’s computer system sent explanation of benefits information to a patient’s unauthorized family member.  The flaw itself put the PHI of approximately 2000 families at risk in violation of the privacy rule.

Another instance involving impermissible disclosures and safeguards occurred when a municipal social service agency disclosed protected health information while processing Medicaid applications by sending consolidated data to computer vendors who were not business associates.

Finally, in a very high loss scenario, the owner of a Florida claims handling system was convicted of illegally buying PHI from a clinic employee and then submitting fraudulent claims to collect on the resulting payouts.  Over 1,100 patient records were compromised, resulting in theft of more than $7 Million in fraudulent Medicare claims.

Efficiency in Data Privacy Programs

There are many indicators of an inefficient PHI privacy program, the top two of which are Inconsistent, incomplete, or overlapping use of resources (people, process, and tools) for data privacy objectives, and a lack of any link between user entitlements and sensitive data. Inefficient programs lack cohesiveness, consistency, and integration, and can be unpredictable, inviting high levels of data privacy risk. 

For more details on how Axis can improve your PHI privacy program, download our presentation here...

Contact us today to find out how DMsuite™ can help you with PHI process improvement, and help develop or mature your PHI data security program.