Today, providers must be more vigilant than ever in protection of patient information.  HIPAA (The Health Insurance Portability and Accountability Act) prescribed into law the requirements for protection of information. All healthcare providers offer a privacy notice to their patients routinely.  The vigilance extends from the provider to other partners, including billing and accounting firms, consultants, etc.  

PHI is the acronym for Protected Health information or Personal Health information.  Protected health information is defined in 45 CFR 160.103, where ‘CFR’ means ‘Code of Federal Regulations’, and, as defined, is referenced in Section 13400 of Subtitle D (‘Privacy’) of the HITECH Act.

“Protected health information means individually identifiable health information [defined above]:  that is:

(i)    Transmitted by electronic media;

(ii)   Maintained in electronic media; or

(iii)  Transmitted or maintained in any other form or medium

PHI includes the following categories:

• Name
• Telephone Number
• Electronic (email) mail addresses
• Social Security numbers
• Medical Record numbers
• Health Plan Beneficiary numbers
• Account Numbers
• Certificate/License numbers
• Full Face photographic images
• Any other unique identifying number

Could your staff be transmitting PHI without even realizing the implication?  Do you have clinical liaisons facilitating admission or intake referrals and perhaps transmitting information from the hospital via a cell phone or tablet?  Do you routinely transmit census information to a billing company?  Does your admissions/intake department send patient demographics to other providers such as dentist, podiatrist, lab?  IF so, consider how this type of information is transmitted and the best way to do it efficiently and within the HIPAA guidelines.  Do you have a weekend Manager on Duty program?  Is information regarding a patient sent via cell phone text from the MOD to anyone else? Be alert to the potential for a problem here.

What about email?  Traditional email is not secure.  Sending census, admission demographics, insurance information, etc. is not secure when sent by regular email.  Providers who work “in the field” and communicate via a cell phone may not send PHI via a text or unencrypted email.  Secure email is another tool that can be utilized in client communication.  Providers including SNFs, HHA, etc. can send sensitive private information to patients, residents and others using encrypted email.  The recipient may be required to register one time in order to access the information going forward.  Check with your IT company to see how secure encrypted email solutions can work for your organization.

Secure Client Portal

To address concerns about protection of PHI, providers and business working with providers have implemented additional safeguards.  A Client portal allows clients to access PHI and other protected information via a portal offering individual and private access.  It is meant as a true portal, a path to transfer.  In this case, the transfer is of information.  It is not a filing system or a place to leave information indefinitely.

At our consulting firm, we establish a private portal for clients who need a secure method of sending PHI to us.  Often the PHI is contained in information such as census data, admission demographics, insurance eligibility reports, claim data, etc.  The client is provided with a link to their private client portal.  They receive an individual ID and password.  The client can access the portal and then upload any sensitive (PHI) information that they need to share with us.  They send an email letting us know that the information has been placed in the portal.  A member of their designated team will access that information and retrieve it.  Once the information has been retrieved  and saved it should be deleted. This portal is for transference purposes only.  If we need to send sensitive information to the client, we follow the same process.

As part of your overall Compliance program, the review of communications should be included.  This includes use of cell phones, email and other methods of communication by which PHI may be transmitted.  For more information about HIPAA guidelines, visit www.hhs.gov/hipaa.  HIPAA education should be a part of all new employee orientation for any healthcare related provider or organization.  All employees should understand the definition of PHI and how they may transmit PHI in relation to their duties.