What is Protected Health Information (PHI)?

With the sophistication of attacks on the rise and healthcare providers relying increasingly on vulnerable mobile and IoT medical devices, the healthcare industry faces considerable risk, and its providers can be hit with stiff penalties when Protected Health Information (PHI) is compromised.

Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities are required to enact security measures to guarantee the confidentiality, integrity, and availability of PHI. So what is PHI, and what is a covered entity?

What is PHI?

PHI is defined as information which “relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of health care to an individual.” This definition applies to information that is stored or transmitted in any physical or electronic form by HIPAA-covered entities. PHI does not include health data collected on personal devices unless the applications in use are created for a physician or covered entity.

What is a covered entity?

Any health plan, healthcare clearinghouse, or healthcare provider that stores or transmits health information is a covered entity under HIPAA. This designation extends to business associates as well, which are individuals or firms that provide services on behalf of HIPAA-covered entities involving the use or dissemination of PHI. All covered entities must sign a HIPAA-compliant business associate agreement that outlines HIPAA compliance standards.

Examples of PHI

When used by a HIPAA-covered entity to provide healthcare services or process payments related to those services, the following 18 identifiers are considered PHI:

1. Names (full or last name and initial)
2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. Dates (other than year) directly related to an individual
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers (including serial numbers and license plate numbers)
13. Device identifiers and serial numbers
14. Web Uniform Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger, retinal, and voiceprints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

If a health record has all of these identifiers removed, it is no longer considered PHI.

Why do hackers seek PHI?

PHI is highly valuable compared to other types of information often sought by hackers. A 2018 Trustwave report found the average selling price of a health record to be $250.15, while a Social Security Number sold for $0.53. Health records can be exploited by cybercriminals for a longer period of time, as they typically provide multiple pieces of personal information that can be used in a variety of ways—i.e. to file false medical claims or fill fraudulent prescriptions. Unlike stolen credit card information which has a relatively short shelf life, as victims of theft usually cancel stolen cards relatively quickly, it can take longer for a healthcare organization to identify records that have been stolen.

Reducing the likelihood and impact PHI breaches

The HIPAA Security Rule requires covered entities to enact physical, technical, and administrative security measures to ensure the safety of PHI. These measures include HIPAA and general cyber awareness training, encryption and endpoint security controls, and limiting the disclosure of PHI to the minimum necessary to fulfill a particular service or request. While no healthcare organization can entirely negate the risk of incurring a data breach, steps can be taken to reduce the likelihood and impact of adverse events. Automated cybersecurity tools like security ratings help organizations continuously monitor their security posture, improve breach detection time, and engage in more effective remediation activities.

How SecurityScorecard can help

SecurityScorecard helps organizations achieve and maintain automated HIPAA compliance and minimize the risk of adverse findings and penalties. Starting with a score, SecurityScorecard provides an instant view of the security posture of any treatment center, insurance provider, or manufacturer in your ecosystem, and allows you to continuously identify, monitor, and manage third-party risk via integrated workflows. With a comprehensive view of enterprise security posture from a hacker’s perspective, we give you the tools and intelligence you need to protect the cyberhealth of your entire ecosystem.