August 24, 2021
As of September 23rd, 2013, it’s not just healthcare providers and health plans that are legally responsiblefor Protected Health Information (PHI), electronic Protected Health Information (ePHI) and Personally Identifying Information (PII) associated with health data.
Any person or entity that accesses or processes documents that contain PHI, ePHI or related PII is subject to the same compliance requirements (and penalties) as any hospital, pharmacy, doctor, clinic, lab, or insurance company. This makes it extremely important for entities that access or process PHI or ePHI to consider the legal requirements associated with handling PHI.
Simply having access to PHI or ePHI means your organization must follow strict procedures to protect that information. This opens up a wide variety of organizations—from software providers and data storage companies to schools, contractors, public agencies, clinics, transit autorites, lawyers, accountant and HR—to the requirements (and risks) of managing physical and electronic information according to the rules of HIPAA.
To help you understand and appreciate the scope of managing PHI and/or ePHI and what it means to your organization, here’s what you need to know.
According to the HIPAA Journal, “PHI is any health information that can be tied to an individual.” This includes information used during the provision of healthcare, payment for healthcare, or for healthcare operations. ePHI is simply PHI stored electronically on a hard drive, server, thumb drive, or other devices.
For example, if an organization administers a health plan for its employees, the HR department must be aware of the legal requirements associated with managing employee health information. That information is subject to the rules of HIPAA regardless of where or how it is stored.
Since 2003, the Office for Civil Rights (OCR), within the U.S. Department of Health and Human Services, has imposed civil monetary penalties in the amount of $99,581,582 and referred 727 cases of HIPAA violations to the Department of Justice for criminal investigation. Needless to say, HIPAA violations are serious offenses and present a significant financial risk—in both direct and indirect cost exposure—to any organization that manages PHI.
The criminal penalties for HIPAA violations include:
As referenced earlier, PHI is where specific health information (medical condition, treatment plans, prescriptions, etc.) is connected to any Personally Identifiable Information (PII). But while names, addresses, emails, and facial photos obviously qualify as a component of PHI, it’s not always obvious which documents contain PHI and which don’t. Financial account numbers, license numbers, IP addresses, and any date that includes more information than just a year can all qualify as the identifiable component of PHI.
Deciding on a case-by-case basis what’s PHI and what’s not requires both HIPAA expertise and significant man-hours. Depending on the size of the organization and the extent of data management, a HIPAA risk analysis and PHI inventory can cost upwards of $100,000.
Even once PHI is identified, you’ll need to make an ongoing commitment of resources, such as secure spaces, employee training, and updated policies, to ensure PHI is managed correctly.
Due to strict rules about how physical documents containing PHI must be stored, HIPAA compliant document management becomes even more difficult when you must manage hard copies containing PHI. Extensive security is required for physical documents, including 24/7 video surveillance and a secure room for storage.
For example, to establish a HIPAA compliant document conversion center, ARC designated secure sites with physical access controls, video surveillance, environmental controls, and a secure vault. Among other new procedures and policies, ARC also instituted new privacy and security standards for employees and updated IT policies.
Any organization that needs to store physical copies of PHI will need to institute similar policies and infrastructure. However, by converting all or most of your PHI to ePHI, you can avoid the added expense and headache of managing hard copies containing PHI.
In addition to avoiding the expense of managing physical PHI, converting to ePHI makes it easier to avoid incidents that can result in significant fines for noncompliance. With a strong cybersecurity framework, which is far less expensive than physical security, you’ll enjoy the following benefits of moving PHI to ePHI:
If you decide to keep PHI in hard copy form rather than digital, you take on unneeded risk. Hard copies are vulnerable to water or fire damage, theft, or loss where digital copies can be stored on secure servers.
As you can see, there is no shortcut to managing PHI in a way that keeps your organization in compliance with HIPAA. Converting PHI to ePHI will help, but only if you have the resources to do it correctly. Otherwise, you might just be opening yourself up to more liability.
Fortunately, companies like ARC can make the process a whole lot simpler. Because ARC has gone through the process of creating a HIPAA compliant digital and physical infrastructure, our customers can maintain HIPAA compliance while converting PHI to ePHI, managing ePHI, or all of the above.
For more information about ARC and to learn more about how you can make managing PHI easier and more cost-efficient, sign up for the upcoming webinar: Identifying and Managing HIPAA Documents in a Non-Medical Environment.