Digitally stored medical records are fast and easy to share, but the data is also vulnerable to breaches and misuse. It’s imperative for organizations and individuals that come in contact with Protected Health Information, or PHI, to take strong measures to safeguard it.

PHI refers to sensitive medical data that contains personally identifiable information such as names, addresses, social security numbers, birth dates, health conditions, treatments, and payment information. Covered entities handle PHI on a daily basis, including medical and dental practices, hospitals, nursing homes, pharmacies and health care companies. Additionally, business associates may have access to PHI, including accountants, lawyers, consultants and data processors.

Training covered entities and business associates on how to handle PHI securely and privately is essential to building public trust and positive healthcare outcomes.

Federal and State Laws Regulating PHI

Two laws regulate how PHI is stored, used and transmitted. The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a federal law setting national standards of protection for health information. The Texas Medical Privacy Act, or TMPA, was passed in 2011 to extend HIPAA protections for Texas residents.

HIPAA and TMPA rules apply to covered entities and business associates and define what PHI encompasses, how it should be handled and secured, and what happens when PHI is breached or misused. These protections are known as the privacy, security and breach notification rules:

  • The Privacy Rule sets limits and conditions on how PHI can be used and shared. It gives patients control over their past, present and future health information, including the right to examine and obtain a copy of their health records and to request corrections.
  • The Security Rule establishes minimum-security standards for protecting PHI that is stored or transferred in electronic form. It sets administrative, physical and technical safeguards that covered entities and business associates must put in place and enforce. 
  • The Breach Notification Rule defines the actions to be taken in the event of a security breach or unauthorized disclosure of PHI. If individual privacy is compromised, covered entities are required to notify affected individuals, the US Department of Health & Human Services (HHS) and, in some cases, the media.

3 Steps for Raising PHI Awareness

Complying with HIPAA and TMPA rules starts with an organization’s knowledge of what PHI is and why it’s important. This includes ongoing efforts to raise awareness of PHI and the responsibilities that come with handling it.

  1. Explain What PHI Is
    PHI is electronic, paper or spoken medical information containing personally identifiable information that was created or disclosed to a covered entity or business associate during the course of a health care service. Examples of PHI include an MRI scan, blood test results, information about a prescribed medication and billing information from your doctor.
  1. Communicate the Importance of Keeping PHI Confidential
    Breaches of PHI data can lead to medical identity fraud, cyberbullying and blackmail. HIPAA and TMPA rules for PHI security and privacy are meant to strengthen patient’s trust in disclosing personal health information to doctors and nurses for better health outcomes. Organizations and individuals that fail to comply with HIPAA and TMPA rules are subject to civil and criminal penalties.
  1. Share Steps for Safeguarding PHI
    Most PHI breaches occur because employees unwittingly leak information. To reduce this risk, employees and managers should take steps to safeguard PHI. This includes not sharing patient information with others who shouldn’t have access; shielding work screen data from unauthorized users; closing programs containing sensitive information when not in use; maintaining secure passwords and encrypting data.

Traliant Insight

Everyone handling health information – from doctors and nurses to billing and claims administrators to attorneys – plays an important role in keeping patient medical and personal data secure and private. Regular HIPAA and TMPA training increases awareness about the policies your organization must follow to protect PHI under federal and state laws.