In one of our previous posts, we referenced the “wall of shame” maintained by the U.S. Dept of Health and Human Services, which lists organizations who reported lost, stolen, or improperly disclosed patient records.
What can you do to protect your organization from inadvertently screwing up like this, and making it onto this lineup?
First, know what is worth protecting. In reference to “wall of shame” avoidance, you need to know what constitutes Protected Health Information, or PHI.
What is PHI
PHI, as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), means any information recorded in any form/medium (or shared orally) that meets both of the following criteria:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- That identifies the individual; or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
So, depending upon what service your organization provides, and even possibly where you are located, what you need to protect will vary.
Location, Location, Location
Why would location matter? Take, for example, one of our clients who provide healthcare services to individuals with HIV or AIDS in a dense urban setting where tens of thousands of people live within a single ZIP Code. Inadvertent disclosure of just a five digit ZIP Code from this dense urban area would not alone constitute a HIPAA breach.
Take a similar provider providing HIV/AIDS services in a sparsely populated, rural region, and all bets are off. ZIP code alone might be enough to identify that person.
Not sure what to protect? Contact us.