Information Security Management Handbook, Sixth Edition (2012)
DOMAIN 1: ACCESS CONTROL
Access Control Administration
Chapter 1. What Business Associates Need to Know about Protected Health Information under HIPAA and HITECH
Rebecca Herold
Introduction
Before launching into a discussion of protected health information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), it is first important to have a basic understanding of HIPAA, and also why HIPAA even exists. This chapter first provides a high-level description of HIPAA and the subsequent Health Information Technology for Economic and Clinical Health Act (HITECH Act) to provide readers with the necessary background information to help better understand the term PHI. The chapter then describes certain specific types of information considered to be PHI, other situations where other information may be considered to be PHI, and then situations when these same information items do not fall under the definition of PHI. The chapter concludes with a set of recommendations for defining and protecting PHI within covered entities (CEs) and business associates (BAs), as they are defined within HIPAA and the HITECH Act.
HIPAA Overview
In today’s high-tech and increasingly online all the time, network-connected world, depending on locking file cabinets, passwords, and encryption alone to protect health information is not realistic. In addition to technology challenges, the laws that exist to protect patient information are a hodgepodge patchwork and greatly diverse under growing numbers of state, federal, and international laws and regulations. Before the dawning of the twenty-first century, patients’ health information could be distributed without notice for almost any reason, including those not even related to healthcare or medical treatments. For example, such health information could be passed from an insurer to a lender, who subsequently could deny the individual’s application for a mortgage or a loan. The health information could even be sent to an individual’s employer, who could then consider it for making personnel decisions.
By enacting HIPAA, Congress mandated that organizations must take specific actions to protect individually identifiable health information. HIPAA contains an important section called Administrative Simplification. The provisions of this section are intended to reduce the costs and administrative burdens of healthcare by standardizing many administrative and financial forms and transactions. Administrative Simplification includes the Privacy Rule and Security Rule subsections that mandate standards for safeguarding, physical storage and maintenance, transmission, and access of PHI. The privacy requirements are collectively referred to as the Privacy Rule, and the security, or safeguard, requirements are collectively referred to as the Security Rule.
The Privacy Rule was passed on 14 April 2001, and updated on 14 August 2002, with compliance required by most health plans, healthcare providers, and healthcare clearing houses, collectively referenced as CEs, by 14 April 2003. Those entities that do not comply with these regulations are subject to severe civil and criminal penalties.
The Privacy Rule has requirements to safeguard PHI by
Giving patients more control over their health information
Setting limitations on the use and release of health records
Establishing safeguards that CEs must implement to protect the privacy of health information
Holding those in noncompliance responsible through civil and criminal penalties for privacy violations
Attempting to create a balance between public responsibility for disclosure of some forms of information and the personal information of individual patients
Giving patients the opportunity to make informed choices when seeking care and reimbursement for care based on considering how personal health information can be used
Enabling patients to learn how their information can be used along with the disclosures of their information
Limiting release to only the minimal amount of information needed for required disclosures
Giving patients the right to examine and correct any mistakes in their personal health records
The Security Rule came into effect in 2005 and can be characterized as being many things, including:
A set of information security “best practices” that make good business sense
A minimum security baseline that is intended to help prevent unauthorized use and disclosure of PHI
An outline of what to do to establish a security program
Something that encourages healthcare organizations to embrace e-business and leverage the benefits that an improved technology infrastructure can provide
Standards to reduce the threats, vulnerabilities, and overall risks to PHI along with their associated costs and negative impact on the organization
It is important for CEs and BAs to understand that the Security Rule is not
A set of specific how-to instructions covering exactly how to secure PHI
A set of rules that must be implemented the same way for every organization
New, magical, or all that are complicated.
The overall goals of the Security Rule revolve around the confidentiality, integrity, and availability of electronic PHI. These terms are defined as
Confidentiality: The requirement that data stored or transmitted is revealed only to those authorized to see it
Integrity: The requirement that data remains free from unauthorized creation, modification, or deletion
Availability: The requirement that data is available when needed
When the proper policies, procedures, and technologies are in place, PHI can be reasonably protected against known threats and vulnerabilities. This will allow entities to protect against unauthorized uses and disclosures of PHI, a primary consideration of the HIPAA.
HITECH Overview
The HITECH Act is part of President Obama’s $787 billion stimulus package, known as the American Recovery and Reinvestment Act (ARRA) of 2009, which was signed into law on 17 February 2009. The HITECH Act was designed to help fulfill a promise that President Obama made in a speech on 8 January 2009, at George Mason University:*
To improve the quality of our health care while lowering its costs, we will make the immediate investments necessary to ensure that, within five years, all of America’s medical records are computerized. This will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests…. But it just won’t save billions of dollars and thousands of jobs; it will save lives by reducing the deadly but preventable medical errors that pervade our health-care system.
There are significant additional requirements to the HIPAA as a result of the HITECH Act. The bulk of all the original HIPAA Security Rule and Privacy Rule requirements are still valid and should still be followed. It would be dangerous not to do so, not only from a compliance perspective, but also from an information security, privacy, and risk management point of view. The HITECH Act did not replace all the HIPAA requirements. Generally, the HITECH Act augmented the HIPAA and expanded its requirements primarily by
Adding breach response requirements and additional BA contract requirements for the CEs
Greatly expanding the BA responsibilities for safeguarding PHI by requiring the BAs to follow the Security Rule requirements
Including a specific direction for rendering PHI unusable
Including the non-CE and non-BA requirements for a breach response that is under the purview of the FTC for electronic health records and electronic medical records.
What Is PHI?
When considering PHI, most CEs, and now BAs under the HITECH Act, tend to think of the following 18 specific information items that are listed within the HIPAA Privacy Rule as being PHI because they are the elements that must be removed from a health record for it to be “de-identified.” They include
1. Name
2. Geographic subdivisions smaller than a state
3. Dates (excluding year) of
a. Birth
b. Admission
c. Discharge
d. Death
4. Phone number
5. Fax number
6. E-mail address
7. Social security number
8. Medical records numbers
9. Health plan beneficiary numbers
10. Account numbers
11. License and certificate numbers
12. Vehicle identifiers (such as license plate number)
13. Device identifiers (such as serial numbers)
14. Internet universal resource locators (URLs)
15. Internet Protocol (IP) address
16. Biometric identifiers (such as finger and voice prints)
17. Full-face photographic images (and any comparable images)
18. Other unique identifiers that can be attributed to a specific individual.
On 21 May 2008, the Genetic Information Nondiscrimination Act (GINA) was signed into law. In a related move in 2009, the Office of Civil Rights modified the Privacy Rule to add genetic information to the list of 18 items as another specific type of PHI.
Of note is that PHI generally means the same thing as “individually identifiable information,” which is defined within HIPAA as follows:
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
i. That identifies the individual; or
ii. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Taking the 19 specifically named items into consideration, in addition to the specific definition of individually identifiable health information, it is then important to know
1. The type of entity that created the information
2. If the information can be reasonably linked to a specific individual.
BAs Must Start Doing More
Prior to the HITECH Act, the question of what was considered to be PHI was not as complicated for the BAs as it was after the HITECH Act came into effect. Prior to the HITECH Act, the BAs typically depended on the BA agreements to specify the information that needed to be protected and how to protect it. After the HITECH Act came into effect, the CEs often updated the BA agreements to simply state that the BAs had to follow all the HIPAA Security Rule and the HITECH requirements, and they also often added a requirement to follow the Privacy Rule requirements even though the BAs were often not actually required to do so by the regulations. The specific direction was basically removed, leaving the BAs with the responsibility to think for themselves, to understand the HIPAA and HITECH requirements, and to make decisions for changing how they protected the information they received from their CE clients.
With literally millions of BA organizations, from one-person shops up to organizations with hundreds of thousands of personnel, many and perhaps most of which are also doing work for entities that are in other industries and are not considered to be CEs, it is more important to determine whether or not organizations must consider information to be PHI, and as such, they also need to follow all the HIPAA and HITECH Act requirements and standards. The first step that the BAs need to take is to determine the information that is PHI.
BAs Must Understand PHI
PHI is basically information that originates from CEs and is used in the support of treatment, payment, or operations (TPO) that are related to patient healthcare services. Under HIPAA, organizations defined as “covered entities” and “business associates” must safeguard PHI according to all the HIPAA Security Rule requirements, along with their BA agreements, and in some cases, some of the Privacy Rule requirements.
Significant numbers of BAs have explicitly stated that they do not consider information that can be found in public locations, online through searches, on social media sites, or countless other locations, to be PHI. More than one BA has stated, “If information is found in the phone book, or can be Googled, then we don’t worry about safeguarding it. Why should we? It’s already out there!” This is a dangerous and incorrect interpretation to make. Various types of PHI are often found in public places, but must still be protected according to the HIPAA safeguards. Let us revisit the list of specific PHI data items and consider which items are often found in public locations:
1. Names: 
OFTEN FOUND IN PUBLIC
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes: OFTEN FOUND IN PUBLIC except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
a. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people
b. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
4. Phone numbers: ←OFTEN FOUND IN PUBLIC
5. Fax numbers: ←OFTEN FOUND IN PUBLIC
6. E-mail addresses: ←OFTEN FOUND IN PUBLIC
7. Social security numbers: ←ALARMINGLY FOUND MORE OFTEN IN PUBLIC
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers: ←OFTEN FOUND IN PUBLIC
13. Device identifiers and serial numbers
14. Web URLs: ←OFTEN FOUND IN PUBLIC
15. IP address numbers: ←INCREASINGLY FOUND ON PUBLIC SITES
16. Biometric identifiers, including finger and voice prints
17. Full-face photographic images and any comparable images: ←OFTEN FOUND IN PUBLIC
18. Genetic information
19. Any other unique identifying number, characteristic, or code, except as permitted by HIPAA: ←OFTEN FOUND IN PUBLIC
Even though many of these HIPAA PHI items are widely found in public places, each CE, and now BA under the HITECH Act, must still ensure that all the PHI items are safeguarded, used, shared, retained, and otherwise handled according to the HIPAA requirements.
PHI Decision Making
It is important for business leaders to know whether or not the information they are responsible for is considered to be PHI. They can help understand if the information they manage in their areas is PHI, by looking at each of the business processes in their area that involves information processing. Consider the following real-life scenarios, along with the decision-making processes for how to determine whether or not the information is PHI and should be safeguarded as such.
Using PHI for Marketing Purposes
A CE sends the BA a list of names, addresses, and phone numbers to process. After doing some online research, the BA’s marketing and sales area finds all the names, addresses, and phone numbers of the individuals online. The BA has another client that is not a CE, for whom they do marketing activities. The BA marketing area wants to add the names, addresses, and phone numbers from the CE into their other client’s marketing databases. The marketing manager states that because the information can be found online, it is “fair game” to use. What should a privacy officer or security officer advise the marketing manager?
1. These names, addresses, and phone numbers originated from the CE.
2. These names, addresses, and phone numbers are considered to be PHI and must be safeguarded according to the HIPAA and the HITECH Act.
3. Even if the information is found elsewhere on public sites, it still must be protected according to the BA agreement, the HIPAA and the HITECH requirements.
4. The information cannot be used for marketing purposes unless the individuals have explicitly provided consent, via the CE.
It is worth noting that, in general, personal information found in public locations should not be used for marketing and sales purposes anyway. A common privacy principle is obtaining consent before using personal information in general, and for marketing and sales in particular, no matter where the information may exist publicly.
Sending PHI in ClearText E-Mail Messages
A large number of BAs, as well as CEs, have expressed the opinion that if a patient or a customer sends them cleartext PHI, then it is permissible to send cleartext PHI to those customers and patients. Similarly, many have indicated that if a customer or a patient says that it is permissible for the CE or BA to send PHI to them without encrypting it, then they can do so without any worries of potential incidents or breaches.
If either of these situations occur within a BA or CE, what should a privacy officer or security officer advise those who communicate with the patients or customers?
1. Sending cleartext PHI within digital communications is a long-known, high-risk activity.
2. Many privacy breaches have occurred because
a. Cleartext e-mail messages containing PHI were accidentally sent to unintended recipients
b. The computers containing the e-mails were stolen
c. A recipient of the e-mail forwarded it to others not authorized to have access to the PHI.
3. Most people with no background or experience in information security may give such permission to share PHI in risky ways simply because they do not know about the associated risks.
4. HIPAA specifies that encryption should be used if appropriate to mitigate identified risk. Communicating PHI via e-mail is a well-known demonstrated risk, and encrypting the data is an appropriate way to mitigate the associated risks.
5. The CE entrusted the PHI to the BA to protect according to specific safeguards and as required by the HIPAA and the HITECH Act.
6. The BA must follow these safeguards, regardless of what others, including the associated individual, say can be done.
7. If the CE has not indicated that encryption is required, then the BA must apply their own risk mitigation practices to meet the HIPAA and HITECH requirements.
In general, sending cleartext confidential information, such as PHI, through the Internet using any one of the many available messaging methods is a known and proven high-risk activity. Any type of confidential information, beyond just PHI, should be encrypted within such messages.
Posting PHI on Web Sites
Many CEs and BAs have posted photographs or other types of images of the patients on various types of Web sites. Often, they do not post the patient’s face, but such things as x-rays, surgery views, and even tattoos. Their justification is typically that such images (1) are valuable for potential patients or clients, (2) would be educational from a medical point of view, or (3) were just something so sensational that they were compelled to share with the world. What should a privacy officer or security officer advise to those who post patient images, of any type, online?
1. Photographs of a patient are considered to be PHI.
2. Two of the 19 items specified as PHI include “full face photographic images (and any comparable images)” and “other unique identifiers that can be attributed to a specific individual.”
3. Patient images must be safeguarded so that only those who have a business need can access them.
4. Even if the patient’s name is not tagged within the photograph, if it can be linked to the individual, then it cannot be posted online, even if the site claims that it is “private.”
5. Explicit consent must be obtained from individuals before posting images for others to see.
A growing number of online social media sites are urging people to post videos and photographs and tag all persons in them. This creates a large number of privacy concerns, not only to the organizations who do the posting, but also to those within the images who did not want their name to be associated with an image. Not to mention that some people are tagged with the wrong names, much to the chagrin of those whose names are labeled on often derogatory images. Policies and procedures need to exist to clearly indicate what is and is not acceptable with regard to posting images online.
Think about Your Own Situations
The listing of scenarios could go on infinitely. If you are a BA, what are the ways in which your organization uses information that falls within the list of PHI items? Have you determined the ways in which your organization uses PHI? Identifying likely scenarios can help organizations create policies and supporting procedures to protect PHI, in addition to supporting HIPAA and HITECH compliance.
Steps for BAs to Take
To help establish appropriate safeguards for the information that originates from CEs, in addition to helping ensure compliance with the HIPAA and the HITECH Act, BAs need to take the following high-level actions to effectively safeguard information, manage risks, and meet compliance.
1. Know the PHI you have: Define “protected health information” as it applies to your organization. Additionally, define the larger set of “personal information” items, taking into account all the types of personal information that are covered by your other applicable information protection legal requirements. Also, consider if information can be linked to a specific individual, even if it is not 1 of the 19 specifically named information items. Establish an inventory of PHI and personal information and maintain it to keep it up to date.
2. Know how PHI is used: Identify who collects, processes, stores, or accesses personal information, in addition to documenting how it is used. Determine who is, or who should be, responsible for these activities.
3. Know where PHI is kept: Identify storage locations, including mobile endpoints and employee-owned storage locations. Also, include third parties that you entrust to store information.
4. Know data retention requirements: Identify, document, and follow data retention requirements as specified by the CEs, as well as within the HIPAA and the HITECH Act. Incorporate these into your inventory information, or use a completely separate system to manage them. Be sure to dispose of data securely and irreversibly.
5. Limit access to PHI: Restrict access to only those who have a business need to access the information for business purposes. Do not give access beyond the purposes for which you collected the information.
6. Implement appropriate safeguards: Perform a risk assessment, and then implement effective safeguards to appropriately mitigate the identified risks, following your policies and procedures. Ensure that personnel understand that, no matter where PHI may be found in public, or what customers or patients tell them to the contrary, they must follow the policies and procedures.
7. Communicate: Be sure you communicate information about PHI policies, procedures, and how to do the associated activities through regular training and ongoing awareness communications. These actions need to be supported with the appropriate technology tools and the appropriate control processes.
* See the full text of the speech at http://www.upi.com/Top_News/2009/01/08/Transcript-of-Obama-speech-on-economy/UPI-61161231435966/.