Improving HIPAA Compliance: Understanding PHI with Cloud Data Storage
PHI stands for protected health information. Discover how to safeguard PHI and comply with the Health Insurance Portability and Accountability Act.
Central Data Storage
All organizations covered under the Health Insurance Portability and Accountability Act (HIPAA) are mandated to safeguard PHI. As such, in order to remain HIPAA compliant, healthcare organizations need to know precisely what is considered PHI and how to keep it secure in cloud data storage.
What is PHI?
PHI stands for protected health information. In simple terms, PHI refers to any piece of information that a healthcare provider stores in patient medical records that can be used to personally identify an individual.
What Is PHI Under HIPAA?
Any individually identifiable health information that is used, stored, or transmitted by a HIPAA covered entity is considered PHI under HIPAA.
This includes any information that relates to the provision of healthcare or payment for healthcare services – such as health records, health histories, test results and billing information.
To be clear, a HIPAA covered entity is any healthcare provider, health plan, health insurer, or healthcare clearing house. In addition, any business associate of a HIPAA covered entity that uses, stores, maintains or transmits health information or PHI on behalf of the covered entity is also mandated to safeguard that information under HIPAA Rules.
To ensure HIPAA compliance, business associates must sign a business associate agreement (BAA) with the healthcare provider, which stipulates who is responsible for safeguarding PHI in line with the HIPAA Security Rule and the HIPAA Privacy Rule.
The most common examples of individual identifiers include:
Address (anything smaller than a State, such as street address, city, county, or zip code)
Dates (excluding years) that are directly related to an individual, including date of birth, date of death and date of admission or discharge
Telephone and fax numbers
Social Security number
Medical record number
Health plan beneficiary number
Vehicle identifiers, such as serial numbers or license plates
Device identifiers or serial numbers
Biometric identifiers such as fingerprints, retinal scans or voice prints
Full face photographs
Any other unique identifying number, characteristic, or code
When health information contains any one or more of these identifiers, that information becomes PHI – and must be adequately protected through technical, physical and administrative safeguards as stipulated in the HIPAA Security Rule.
Electronic Protected Health Information (ePHI)
Importantly, HIPAA Rules apply to both paper and electronic health information.
When PHI is created, used, shared or stored electronically – such as in an electronic health record (EHR) – it is known as electronic protected health information or ePHI.
Both the Privacy Rule (which limits uses and disclosures of PHI) and the Security Rule (which addresses the technical, physical and administrative safeguards healthcare organizations must have in place) apply to PHI and ePHI in equal measure.
ePHI and Cloud Storage
Today, nearly all HIPAA covered entities deal with ePHI.
As such, in order to comply with the Security Rule and avoid HIPAA violations, HIPAA covered entities must, according to the legislation, “Establish and implement procedures to create and maintain retrievable exact copies of electronic Protected Health Information.”
In addition, healthcare organizations must establish a data disaster recovery plan to “restore any loss of data in the event of a cyberattack, system outage, or damage to computers/servers where ePHI is stored.
Healthcare providers essentially have two options in this regard – implement and maintain their own data backup and recovery storage facility (an expensive, complex and time-consuming affair), or utilize the professional services of a cloud storage provider (by far the most reliable and cost-effective option).
When selecting a backup and recovery provider, however, it’s important to remember that not all cloud storage solutions are created equally.
Different providers offer different levels of support and service.
Some simply provide a software solution, rather than a full service to help you meet your HIPAA requirements.
Many popular data storage services – including Dropbox, Amazon Web Services (AWS) and Google – do not provide out-of-the-box HIPAA compliant cloud storage by design.
It is possible to use these solutions to store ePHI in a HIPAA compliant way – however, it is down to you to configure the respective systems yourself to ensure you meet the requirements of the legislation.
Other services, including WeTransfer and Apple iCloud, will not sign a BAA with HIPAA covered entities and so must be avoided altogether.
The best solution, therefore, is to work with a HIPAA compliant backup and data recovery specialist – one that provides not only software, but a full-service including data storage support and ongoing guidance for best practices regarding ePHI protection and HIPAA compliance.
Secure Cloud Data Storage with UnisonBDR
With UnisonBDR, not only are you using a cloud backup and recovery solution amongst the most secure in the industry, but you will also work hand in hand with friendly experts who make it their business to ensure your ePHI is always protected and recoverable.
Our HIPAA compliant cloud storage specialists at Central Data Storage will help you develop policies, procedures, training programs and disaster recovery plans to make sure your whole business is in full compliance with HIPAA and your ePHI 100% recoverable in the event of a data disaster.
Our clients put it best:
“We chose to work with Central Data Storage because as a dental clinic we needed to not only ensure our data was backed up and available, but that it was HIPAA-compliant at all times. The Central Data Storage team have been great to work with – very friendly, always on hand to help and clearly experts when it comes to data recovery management. Thank you."