In the previous blog post, we discussed the types of entities who need protected health information (PHI) to conduct their business or provide their services. Now, let’s discuss what entities or individuals are typically interested in obtaining this PHI.
Who is Interested in Obtaining PHI?
There is no single group of people or type of organization stealing PHI for unlawful purposes. However, by looking at the 18 PHI identifiers listed below, we can see that the type of information collected and protected under HIPAA can be used for many purposes that negatively affect those whose PHI is compromised.
According to HIPAA, the following 18 Identifiers protected under the Privacy Rule permit a Covered Entity or Business Associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications:
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
- a. The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
- b. The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
- All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Fax numbers
- Device identifiers and serial numbers
- Email addresses
- Web Universal Resource Locators (URLs)
- Social security numbers
- Internet Protocol (IP) addresses
- Medical record numbers
- Biometric identifiers, including finger and voice prints
- Health plan beneficiary numbers
- Full-face photographs and any comparable images
- Account numbers
- Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section [Paragraph (c) is presented below in the section “Re-identification”]
- Certificate/license numbers”
There are endless possibilities with what can be done with this type of sensitive information. For example, two suspects were previously indicted for filing “filing false tax returns with the information of at least 305 victims during tax years 2011 and 2012” that was obtained by the suspects while working at a hospital. Approximately 1,400 individuals had their PHI compromised and nearly $500,000 in false tax returns were filed with the use of this information. The information used to achieve this included names, dates of birth, and Social Security numbers.
Covered Entities and Business Associates need PHI to effectively perform their duties and, unfortunately, the possible unlawful uses for this information seem infinite. This make PHI extremely valuable not only to those that use and disclose it legally, but also to those that have found unlawful ways of monetizing its illegal use.
As a reminder, this is part of a blog series in which I will be addressing several issues regarding healthcare data breaches. Next week, we will discuss what PHI and sensitive data lies outside of the scope of HIPAA/HITECH.
I will continue to post regularly on this topic until the HIMSS16 convention in Las Vegas that begins February 29th. I look forward to continuing to share my thoughts with the healthcare security and privacy community.
If you have any questions regarding the healthcare information requirements or would like a HIPAA or HITECH compliance audit quote, please contact us at firstname.lastname@example.org.
Maria Sanchez is a Privacy and Security Professional at CompliancePoint working with Covered Entities and Business Associates in a variety of industries. She is committed to guiding customers through effective assessments covering the Security, Privacy, and Breach Rules from HIPAA/HITECH. Maria has a B.A. in Political Science and Sociology from Georgia State University and a J.D. from Florida Coastal School of Law. As an attorney, Maria concentrated her studies in international and comparative law. As a Privacy and Security Professional, Maria has earned her Healthcare Information Security and Privacy Practitioner (HCISPP) certification and Certified Information Privacy Professional for the US and Europe (CIPP/US and CIPP/EU) certifications.