Definition/Introduction

According to the Health Insurance Portability and Accountability Act (HIPAA), protected health information (PHI) is any health information that can identify an individual that is in possession of or transmitted by a "covered entity" or its business associates that relates to a patient's past, present, or future health. This data includes demographic information.[1] It also includes, but is not limited, to electronic and paper transmission. The term "covered entity" refers, but is not limited to, health care providers, insurance companies, and hospitals.[2][3] PHI includes demographic identifiers, in medical records, like names, phone numbers, emails, and biometric information like fingerprints, voiceprints, genetic information, and facial images.[4]

Issues of Concern

It is imperative that protected health information remains confidential because disclosing it to unauthorized recipients, whether intentionally or by accident, can have deleterious consequences for patients. For instance, in correctional facilities, the improper disclosure of protected health information can potentially result in inmates assaulting other inmates with health conditions that carry a significant social stigma. Even upon their release, these individuals can face discriminatory treatment by the general populace that hampers their reintegration into public life. While transmitting PHI generally requires the patient's explicit consent, there are exceptions where it is transmittable without consent. For example, in a correctional facility setting, PHI can be disclosed without consent for payment purposes, judicial proceedings. If there is a serious threat to a person's health or well-being, that can only be averted through disclosure.[5] Other circumstances when protected health information is transmittable without consent include public health purposes, like disease control, child abuse, and scientific research.[1][3]

Clinical Significance

Protected health information is clinically relevant because the circumstances surrounding its disclosure shape the interactions between patients and healthcare providers. For instance, when a patient happens to be a celebrity, health care providers must balance the patient's privacy needs with the public's "right" to know.[1] The increasingly widespread use of new medical technology further complicates interactions between patients and healthcare providers with respect to PHI. For instance, despite the rise of 3D printing in clinical care, there are no legal provisions in HIPAA relating to the potential privacy implications of 3D printing.[6] There are also no HIPAA regulations that adequately cover the transmission of Protected Health Information via text message.[7] 

There are many ways that healthcare providers can take precautions to ensure that protected health information remains properly protected, to enhance patient care, and preserve patient safety, particularly concerning electronic storage and transmission of PHI. Some standard procedures include data masking, encryption, and deidentification. Encryption is the equivalent of locking data in a vault and preventing anyone without the necessary digital key or certificate from accessing it. Data masking is the replacement of sensitive data values with altered values that nonetheless preserve the utility of the data set as a reference source. Encryption is more useful when attempting to protect data during transmission, while data masking is most useful when sharing data with an external organization. Deidentification is the systematic removal of eighteen pieces of identifying information, ranging from names and telephone numbers to biometric identifiers like finger and voice prints.[8][9] Internet communications can be secured through protocols like Secure Socket Layer (SSL) and Transport Layer Security (TLS). Wi-Fi hotspots can be secured using virtual private networks (VPN) to protect data.[10] Maintaining adequate safeguards against the unauthorized dissemination of PHI is of paramount importance, given that the consequences of failing to do so range from financial penalties to imprisonment.[11]

Nursing, Allied Health, and Interprofessional Team Interventions

All members of the healthcare team carry the same responsibility when it comes to protecting PHI. This includes clinicians, nurses, pharmacists, therapists, techs, office personnel, and even other staff such as housekeeping and nutrition. That is why training and refresher courses on the topic of PHI are critical to patient privacy so that all members of the team can recognize PHI, know the boundaries involved, and identify, and if necessary, report breaches of patient privacy to the proper authorities.