The Health Insurance Portability and Accountability Act (HIPAA) provides national standards to improve efficiency and combat fraud in the medical industry. When it was first signed into law in 1996, the primary intention was to better regulate the health insurance industry.
However, HIPAA also made it possible for the Department of Health and Human Services (HSS) to set standards that protect the privacy of patient health information. In 2000 and 2003, respectively, HHS published the Privacy and Security Rules as HIPAA provisions.
The purpose of amending HIPAA to add the Security Rule and Privacy Rule was to better safeguard an individual’s health information as it is shared between healthcare providers, health plans, and other organizations. Under HIPPA, this information is known as protected health information or PHI.
Protected health information is a subset of personally identifiable information, or PII. While PHI and PII share common traits, they are not the same. Anything that directly or indirectly relates to an individual and makes it possible to determine their identity is PII.
On its own, PII does not constitute PHI and is not subject to HIPAA regulations. However, PII data that is created, collected, transmitted, or maintained by a covered entity is a different matter.
In this article, we will explore the connection between HIPAA, PII, and PHI, as well as strategies for keeping your organizational data HIPAA-compliant.
How PII impacts HIPAA compliance
Health information is anything that relates to past, present, and future health conditions. This includes both mental and physical health, as well as information related to provision of or payment for healthcare services.
HIPAA restricts the use and disclosure of health information that allows an individual to be identified. There are 18 identifiers HIPAA uses to denote PHI, such as account numbers, medical record numbers, and health insurance beneficiary numbers.
Other personally identifiable information, such as addresses and phone numbers, are not considered PHI. However, if the information is paired with any specific health information, the PII data falls under the umbrella of PHI and is protected under HIPAA.
The best way to understand the connection between HIPPA and PII is this: All protected health information contains personally identifiable data, but not all personally identifiable information contains protected health data.
Unauthorized access or misuse of PHI can have severe consequences for affected individuals as well as the organization responsible for protecting the data. Personal medical data is 10–15 times more valuable than credit card data.
This is because a single healthcare record could contain several types of personal information, including date of birth, financial details, address, and more. With all this sensitive information at hand, cybercriminals can commit identity theft, open credit cards in the individual’s name, and launder the PHI before selling it to other businesses.
Cybercriminals can even use PHI to receive medical care under the individual’s name. When this happens, the victim could be faced with medical debt for treatments they did not authorize or receive.
Safeguarding your organizational data
Healthcare-related companies must meet HIPAA’s requirements for data privacy and security. One component of this is data classification, which separates data by its type, sensitivity, and the risks associated with its compromise.
Both PHI and PII fall under the classification of restricted data. This means the information is highly sensitive and should be prioritized when developing data security controls. For example, organizations often encrypt their most sensitive data classifications to ensure that information is unusable to anyone without the correct encryption key.
Without adequate measures in place to protect PHI in datasets, a data breach could have consequences beyond the breach itself. Unencrypted PHI that is compromised in a breach must be reported to the affected individuals under HIPAA’s Breach Notification Rule.
Had the data been encrypted, the breach notification requirement would not apply. This is because HIPAA does not consider breaches of encrypted PHI to be reportable security incidents (except for circumstances where the key is also compromised).
To better understand why data breaches that expose PII are particularly damaging for healthcare organizations, consider these recent events:
SuperCare Health, a respiratory care provider, suffered a data breach in July 2021 that affected more than 318,000 individuals’ PII. According to a proposed class action lawsuit, the hacking incident occurred because the company failed to implement reasonable security measures.
Specifically, the complaint alleges that the PHI and PII in the compromised files were not encrypted.
In February 2022, a debt collections agency experienced a ransomware attack that exposed more than 2 million patients’ data. Several class action lawsuits have already been filed against the company. The documents allege that Professional Finance Company (PFC) failed to properly secure its data. It is still not clear how many records were compromised in the attack, but it impacted 657 HIPPA-covered entities.
How WinZip Enterprise helps protect PII
In our current digital landscape where cybercriminals can breach 93% of company networks, safeguards such as data encryption are more important than ever. However, most companies are only encrypting data when it is at rest, leaving in-transit files vulnerable to interception.
WinZip® Enterprise is a powerful, customizable solution that offers simplified, file-level encryption wherever your files are. It encrypts files with AES encryption, ensuring that PII and PHI data is protected whether it is at rest or in transit. With centralized IT controls, you can customize your file sharing, backups, and security policies to fit your needs.
Discover how WinZip Enterprise helps organizations protect PII and stay HIPAA-compliant.