Back to resources

What Is Considered HIPAA Data?

Knowing What Counts As HIPAA Data Can Save Your Business

Whenever you're working with HIPAA-protected information, one of the first things to determine is what actually counts as protected health information (PHI) or electronic protected health information (ePHI). In other words, you have to know what you’re protecting before you can protect it. 

What you need to secure isn’t always as obvious as it might seem, which causes some covered entities to become lax with the patient data they’ve been entrusted with. This can lead to dire consequences, including substantial fines and loss of public trust. Because HIPAA rules can be difficult to interpret, it’s vital to prove you’re protecting any data that could be considered ePHI. 

Staying HIPAA Compliant

What is ePHI data?

In this article we’ll be discussing ePHI, since protecting electronic data is the most common concern that doctor’s offices have. Most healthcare locations are accustomed to locking the records room to protect patient files; protecting electronic data is a much newer endeavor for many of them.

What counts as HIPAA-covered data can be surprisingly difficult to determine. Some are obvious: patient name, medical stats, diagnosis, and account numbers. Other data you should protect isn’t so obvious: email addresses, emergency contacts, and dates of service.

At first, glance, protecting some of this data might not seem like such a big deal. Everyone goes to the dentist, so what’s to hide? This blanket rule is to protect people who might not want their information about less obvious ailments to be public. Common examples of patients not wanting to be associated with a specialized clinic include digestive health, hair growth, plastic surgery, or prenatal care.

In fact, revealing that a person is a patient at all can lead to problems. While it’s an extreme example, an Alabama dentist running for public office gave his entire patient list to a marketing firm so that he could directly target patients. While he thought it was a good idea—since he already had a relationship with his patients—he ended up having to pay $62,500 to the Office of Civil Rights (OCR), which is the division of Health and Human Services that investigates HIPAA violations. The dentist might not have thought he was violating HIPAA terms, but what he didn’t know did hurt his business.

 

Don't Ignore Possible HIPAA Data

Beware the Gray Areas

cXML vs XML for enterprise eCommerce websites development

In general, it’s always better to be safe than sorry and lock up any information you believe could be considered PHI data. In other words, if it can identify a patient in any way—including something as seemingly innocuous as collecting a license plate number during parking validation—it must be encrypted in transit and rest.

Clarity always recommends working with a lawyer who has experience in the HIPAA realm. They can help you navigate the ever-changing guidelines associated with HIPAA, but they will also help interpret related state laws that were inspired by HIPAA. Patients cannot sue you for HIPAA violations, but they might be able to if a state law accompanies it.

Once you determine what data is considered ePHI, we recommend finding a technical partner that has considerable experience working on HIPAA sites. A lawyer can tell you exactly what to protect, but not how. When it comes to gray areas, HIPAA-compliant hosting is an excellent option for tokenized information. Better to have it protected and take a few extra seconds to process than to have ePHI unsecured on computers.

Keep ePHI In One Place

Limit HIPAA Data Dissemination

Having HIPAA data is something of a Catch-22. It’s most in danger when in transit, but the “P” in HIPAA represents “portability.” This information belongs to the patient, and the patient often wants you to move this information to other healthcare providers for them. 

This is a situation where the digital team you work with needs to be experienced so that they address all of the places where HIPAA data can be exposed. For instance, a healthcare provider may get in trouble if they send too much information via email or text. Instead of sending the information directly, it’s much better than the patient is guided to a HIPAA-compliant portal that requires a password to access. In this way, the HIPAA-covered information is kept behind a locked door so that only the patient themselves can get the message. 

Two-factor authentication is one of the first steps that can keep patient data safe. This can also be implemented within the healthcare facility to make sure that only people with permission can access certain records. 

HIPAA Violations Can Ruin a Business

Be Aware of the Consequences 

A patient can file a complaint against a healthcare provider with a single Google search and a few clicks. That’s the most likely way the OCR will find out about any HIPAA violations. Companies have been fined millions of dollars for violations, with smaller companies averaging tens of thousands of dollars. 

Just as bad is that the OCR will reveal a company’s violations on its website, a “wall of shame” that keeps track of offenders. With the OCR’s web presence, these violations can make their way to the top of Google searches and change a potential patient’s view of the business. This comes after a covered entity has already damaged its reputation with its existing customers. HIPAA violations of the past affect your present and your future. 

HIPAA Compliance and Vigilance

Do as Much as You Can

Hackers have proven time and again that they can break into some of the most secure information storage areas on Earth, so it’s possible your data will be compromised even if you do everything you can to protect it on your portal or HIPAA-compliant website

It’s important to remember that the OCR isn’t going out and testing sites for compliance. But when something does happen, they want to see whether or not the CE took reasonable steps to protect the data before something happened to it. If you—and the company you signed a BAA with to protect the data—can prove that you took reasonable steps, then it’s unlikely that you’ll suffer much in the way of consequences. 

First, though, you have to take those reasonable steps. 

Working With HIPAA Compliance Experts

Let’s Get Started 

Hackers have proven time and again that they can break into some of the most secure information storage areas on Earth, so it’s possible your data will be compromised even if you do everything you can to protect it on your portal, website, or HIPAA hosting provider. 

It’s important to remember that the OCR isn’t going out and testing sites for compliance. But when something does happen, they want to see whether or not the CE took reasonable steps to protect the data before something happened to it. If you—and the company you signed a BAA with to protect the data—can prove that you took reasonable steps, then it’s unlikely that you’ll suffer much in the way of consequences. 

First, though, you have to take those reasonable steps. Get in touch with HIPAA experts today.

 

Find out more

Click here to review options to gather more info.
From resource guides to complimentary expert review... we're here to help!