If you’re a business who handles Protected Health Information (PHI) — or expects to in the future — you can’t afford to ignore your data compliance and protection responsibilities. In this article, we break down the essentials of PHI and the critical role a backup and recovery solution plays in protecting data compliance, integrity, and availability.
What is PHI?
Protected Health Information (PHI) is any individually identifiable health information that was created, used, or disclosed during treatment or diagnosis. PHI is protected and regulated by the Health Insurance Portability and Accountability Act (HIPAA), which was introduced in 1996. The HIPAA Privacy Rule provides standards for how PHI is stored, collected, and shared, along with physical, administrative, and technical controls. By mandating PHI protection, HIPAA aims to mitigate inappropriate disclosure risks that could impact important factors like employability, insurability, and more.
Keep in mind that not all patient data is PHI. To quality as PHI, data must fall under one of these 18 identifiers:
- Address. This includes anything smaller than state: street address, city, county, and zip code.
- Dates. This includes birth date, death date, age, and admittance and discharge dates (with the exception of year).
- Social Security number
- Telephone number
- Fax numbers
- Email address
- Health plan beneficiary number
- Account number
- Medical records number
- Medical device identifier
- Certificate or license number. This includes driver’s license numbers.
- Vehicle identifiers, like license plate number or VIN
- Internet Protocol (IP) addresses
- Web URLs
- Full facial photographs and any comparable image
- Biometrics, such as fingerprints and voice prints
How is PHI used?
Your PHI information follows you throughout the course of your life. From the moment you’re born, your PHI is likely entered into an electronic healthcare record and will continue to grow as you do. This medical information helps clinicians understand a patient's health history and make individualized treatment choices.
HIPAA regulations allow clinical and research scientists to use anonymized PHI to study and forecast health and healthcare trends. It’s also utilized to create value-based care programs, recognizing healthcare providers that are providing superior care.
While PHI is valuable for both patient and industry advancement, it’s highly valued by hackers and cybercriminals. PHI is full of personal consumer information that they can sell. From social security numbers to account numbers to medical records, hackers leverage multiple types of information in many ways, creating long-term problems that easily go under the radar. Cybercriminals also conduct ransomware attacks on hospitals or healthcare providers and hold PHI hostage in exchange for a payoff, creating major disruptions in care, record keeping, and organization as a whole. Therefore, it’s critical that organizations handling PHI know the risks and how to mitigate them.
Who needs to be HIPAA compliant?
Entities that must follow HIPAA regulations are called “covered entities.” Covered entities include health care providers, such as doctors, hospitals, clinics, pharmacies, dentists, and nursing homes, along with health care plans, like health insurance companies, company health plans, HMOs, and certain government-paid healthcare programs, such as Medicare and Medicaid. Healthcare clearinghouses are also considered covered entities, as they process nonstandard health information or format data for compliance.
Covered entities aren’t the only organizations required to check the compliance boxes. A covered entity’s business associates, the third-party individual or company that is granted access to PHI to perform its services, must also follow HIPAA’s strict protocols, too. Business associates can include document storage companies, medical billing companies, collection agencies, attorneys, CPA firms, and more. Whether you’re a covered entity or business associate, poor PHI management and protection can put you in the compliance hot seat.
Common PHI data protection requirements
Protection of PHI is critically important because it ensures privacy of sensitive data. Companies who fail to protect this type of data are subject to significant non-compliance fines, as well as the inevitable impacts on reputation and trust.
Regardless of sector or industry, organizations should be examining their SaaS applications, in particular platforms like Salesforce and Microsoft Dynamics 365, to look at what PHI data may be stored there. For organizations in the healthcare industry, the guidelines are quite clear; proper management of PHI includes having a data backup and recovery solution in place.
While specific HIPAA regulations may not apply to all organizations, employers who possess health information, like vaccination status, should examine their data protection policies to ensure that they meet the compliance requirements of internal, state, or federal data regulations. Several of those regulations require backups to be:
- Frequent: In most circumstances, a daily backup is satisfactory, but sometimes backups must be scheduled to the hour or minute, depending on the type of record.
- Encrypted: Backed up data should be encrypted at rest and in transmission.
- Secure: Backed up data should have user authentication safeguards, including multi-factor password protection and role-based access controls to partition backup services and control who has access to them.
- Tested: Once successful backups have been achieved, the restore process must be tested to confirm the data integrity and how quickly the restore process takes to complete.
- Stored offsite: Backups must be stored in a separate location than production services and depending on the record, must be retained for a finite period of time — in some cases six years or more.
How does your backup solution support your compliance efforts?
Data compliance and security are too important to ignore. If your company manages PHI or other types of sensitive and regulated data that must be protected, you must consider a backup and recovery solution...but not just any solution. Here are a few questions to ask yourself when considering your organization’s solution:
- Do you store any PHI data in your SaaS platform?
- What is your necessary recovery time objective (RTO) and recovery point objective (RPO)?
- How frequently do you back up your data?
- If your SaaS provider was down, would you still be able to access your data?
- How frequently do you test your ability to recover data from a backup?
- How do you ensure data is retained within minimal and maximal retention timeframes?
- What regulatory requirements impact your data retention policy?
Depending how you answer these questions, you may want to consider a third-party backup and recovery solution. At Own (formerly OwnBackup), we’re the #1 SaaS data protection platform and meet all of the requirements of a HIPAA compliant backup and recovery solution. Most importantly, because our cloud application sits outside of the SaaS provider’s, our customers' backup files are always accessible to them even in the event of a SaaS provider outage or other critical event like a data breach.