The Health Insurance Portability and Accountability Act
Compliance Risks for Mishandling Protected Health Information (PHI)
Patients put trust in healthcare providers to keep sensitive medical data safe from malignant actors. In the realm of data discovery, The Health Insurance Portability and Accountability Act (HIPPA) outlines standards for how healthcare providers handle Personal Health Information (PHI). Failure to adhere to HIPAA’s standards for protecting PHI result in penalties that range from $100 to $50,000 per individual violation. The maximum penalty per calendar year in aggregate is limited to $1.5 million.
Health information becomes PHI when it includes any of the following or multiple identifiers:
General Information
Name, Email addresses, Telephone/fax numbers, geographic information on the patient, dates
Government Identification
Social Security Numbers (SSN), Driver’s License/Driver’s License Numbers, License plate numbers (and/or any vehicle identifiers or serial numbers)
Digital Footprint
Website addresses, electronic device identifiers/serials numbers, IP addresses, photos of the patient (and/or comparable images) and biometric identification (e.g., fingerprints, retinal scans, or facial scans)
Insurance and Billing
Medical record numbers, Account number, Insurance plan or health plan numbers
More broadly, PHI includes “Any unique identifying number or code”. Given the broad scope of PHI, it is important to make sure that the data discovery you deploy in a HIPAA environment can detect all of these different identifiers.