On 5th March 2020, an employee from Ann & Robert H. Lurie Children’s Hospital of Chicago was found to violate the HIPAA Privacy Rule by inappropriately accessing patients’ medical records for 15 months. As a result, the employee was terminated. According to the investigation, the types of information that was compromised were personally identifiable information (PII), which includes names, addresses, dates of birth, diagnoses, medications, appointments, and medical procedures. In April 2020, a nurse at the Hackley Hospital in Muskegon, Michigan, was dismissed for a similar kind of incident.
The HIPAA Privacy Rule was constructed with a set of national standards to ensure that a patient’s privacy and health information are continuously protected. Under this rule, HIPAA-covered entities are required to protect a patient’s personally identifiable information (PII) as protected health information (PHI) while providing a positive patient experience.
Personally Identifiable Information (PII) and Protected Health Information (PHI) – How they differ?
The two terms PII and PHI, commonly used in the healthcare industry are often mistaken as the same thing. Under HIPAA, Protected Health Information (PHI) is referred to as protected data, a concept very similar to Personally Identifiable Information. PHI is any information about the provision of health care, health status, or payment for a service that can be linked to a specific individual. Personally identifiable information (PII), on the other hand, is any sensitive information that can be used to locate, contact, or identify an individual. While both terms have some similarities, PII is specifically focused on whether an individual can be identified with the information.
For example, a patient’s first name cannot be considered as personally identifiable information (PII) if they live in a large city. However, if they live in a small town or city the first name is likely to be considered as PII.
Personally Identifiable Information (PII) under HIPAA
Under the HIPAA law, personally identifiable information (PII) are:
Other identifiers are only considered as PII when combined with more information; because unless the first identifier is unique enough, finding an individual may be difficult without a second or a third identifier. They are first name only, first name initial with last name, place of birth or death, zip codes, and height or weight, and geographic indicators.
Why is it important to safeguard PII?
Good security starts with identifying the personally identifiable information of an individual. The identifiers mentioned above can fall under PHI and as required by the federal law PHI must be protected. Unauthorized access or misuse of this type of information can lead to dire consequences for individuals, as mentioned in the first paragraph, as well as for organizations.
This type of information can be used to commit medical identity theft, and this is a major concern for healthcare providers. Medical identity theft negatively impacts patient’s experiences and hospitals lose millions of dollars from denied claims each year. Although many progressive hospitals use a contactless biometric patient identification platform to prevent medical identity theft, it is still required by the law to provide proper training to employees so they know what information should be protected and how PII should be handled.
Personally identifiable information can be de-identified. This is a process where PII is encrypted or taken out so that the available medical information can be used for research or educational purposes. By stripping all identifiable factors, the remaining information will no longer be considered as PII. By understanding PII better, an organization can better protect a patient’s data and avoid expensive lawsuits.
Streamline your HIPAA compliance management with HIPAAReady
With HIPAAReady, an organization can avoid preventable harm by providing training for all the employees easily. Besides training management, HIPAAReady is HIPAA compliance software where you can perform internal audits, store and maintain documents, keep up-to-date with HIPAA policies, and access all HIPAA related information from a centralized space. With HIPAAReady, an organization will be able to assess what safeguards are needed to be undertaken to ensure HIPAA compliance.