User talk:CelticsFan3/Protected health information

Protected health information (PHI) under the US law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.

Instead of being anonymized, PHI is often sought out in datasets for de-identification before researchers share the dataset publicly. Researchers remove individually identifiable PHI from a dataset to preserve privacy for research participants.

United States
Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care:


 * 1) Names
 * 2) All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
 * 3) Dates (other than year) directly related to an individual
 * 4) Phone Numbers
 * 5) Fax numbers
 * 6) Email addresses
 * 7) Social Security numbers
 * 8) Medical record numbers
 * 9) Health insurance beneficiary numbers
 * 10) Account numbers
 * 11) Certificate/license numbers
 * 12) Vehicle identifiers and serial numbers, including license plate numbers;
 * 13) Device identifiers and serial numbers;
 * 14) Web Uniform Resource Locators (URLs)
 * 15) Internet Protocol (IP) address numbers
 * 16) Biometric identifiers, including finger, retinal and voice prints
 * 17) Full face photographic images and any comparable images
 * 18) Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

HIPAA Privacy Rule
The HIPAA Privacy Rule addresses the privacy and security aspects of PHI. There are three main purposes which include:


 * 1. To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information;


 * 2. To improve the quality of health care in the United States by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care; and


 * 3. To improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.

De-identification versus anonymization
Anonymization is a process in which PHI elements are eliminated or manipulated with the purpose of hindering the possibility of going back to the original data set. This involves removing all identifying data to create unlinkable data. De-identification under the HIPAA Privacy Rule occurs when data has been stripped of common identifiers by two methods:
 * 1. The removal of 18 specific identifiers listed above (Safe Harbor Method)
 * 2. Obtain the expertise of an experienced statistical expert to validate and document the statistical risk of re-identification is very small (Statistical Method).

De-identified data is coded, with a link to the original, fully identified data set kept by an honest broker. Links exist in coded de-identified data making the data considered indirectly identifiable and not anonymized. Coded de-identified data is not protected by the HIPAA Privacy Rule, but is protected under the Common Rule. The purpose of de-identification and anonymization is to use health care data in larger increments, for research purposes. Universities, government agencies, and private health care entities use such data for research, development and marketing purposes.

Covered Entities

In general, US law governing PHI applies to data collected in the course of providing and paying for health care. Privacy and security regulations govern how healthcare professionals, hospitals, health insurers, and other Covered Entities use and protect the data they collect. It is important to understand that the source of the data is as relevant as the data itself when determining if information is PHI under U.S. law. For example, sharing information about someone on the street with an obvious medical condition such as an amputation is not restricted by US law. However, obtaining information about the amputation exclusively from a protected source, such as from an electronic medical record, would breach HIPAA regulations.

Business Associates

Covered Entities often use third parties to provide certain health and business services. If they need to share PHI with those third parties, it is the responsibility of the Covered Entity to put in place a Business Associate Agreement that holds the third party to the same standards of privacy and confidentiality as the Covered Entity.

Common Forms of Cybersecurity Attacks on PHI

 * 1) phishing
 * 2) eavesdropping
 * 3) brute-force attacks
 * 4) selective forwarding
 * 5) sinkhole threats
 * 6) Sybil attacks
 * 7) location threats

Attacks on PHI
In 2017, healthcare compliance analytics platform Protenus stated that 477 healthcare breaches were reported to the US Division of Health and Human Services (HHS). Of these, 407 showed that 5.579 million patient records were affected.

The 2018 Verizon Protected Health Information Data Breach Report (PHIDBR) examined 27 countries and 1368 incidents, detailing that the focus of healthcare breaches was mainly the patients, their identities, health histories, and treatment plans.

Health-related fraud is estimated to cost the US nearly $80 billion annually.

Ethical Concerns
TBD