In this series, Binary Fountain offers its staff expertise to answer common questions about healthcare reputation management.
In this post, Mark Beckmeyer, Binary Fountain’s Director of IT Security, tackles questions related to PHI Concerns in healthcare reputation management.
What constitutes PHI?
PHI stands for Protected Health Information. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was signed into law, in large part designed to protect an individual’s health information while still allowing the necessary transparency for optimal care.
PHI comprises of two primary data elements, the first of which is a personal identifier. This personal identifier may be a name, social security number, address, phone number, or anything else that falls into one of the 18 identifiers under HIPAA regulations. The other piece of data that makes up PHI can be one of three things: payment (i.e. billing information), treatment (actions performed by medical providers), or operations (what allows a provider to provide services, like marketing or legal actions).
At Binary Fountain, we primarily deal with the treatment component (as well as a personal identifier) of PHI when monitoring a provider’s online presence. If a patient entrusts this type of information to a healthcare provider or third party, it is considered PHI. However, if the patient provides the information via a social media post or review, there is no expectation of privacy, and therefore this does not constitute PHI.
What determines whether PHI should be edited vs removed outright?
To comply with HIPAA regulations, a provider might be legally obligated to edit or remove PHI that is posted publicly. But PHI is not the only type of information a provider might want removed from public view for the sake of their online reputation management. Comments containing profanity or a strong tone might be filtered out, as well as comments regarding legal actions.
How much of the responsibility to remove PHI rests on the provider vs the platform it is posted to?
This depends on which entity provided which services that led to the publication of PHI on the platform. A healthcare provider is legally considered a covered entity, while a service provider like Binary Fountain is a business associate. In some cases, the onus might be solely on the covered entity or the associate to remove the information, or it might rest on both entities depending on the services provided. For example, if a business associate distributes and receives survey information on behalf of a healthcare provider, it may be up to said associate to scrub any PHI that gets leaked to the public.
How should providers go about removing PHI?
If a healthcare provider does not have the in-house resources to monitor and act upon PHI, it is beneficial to hire a service provider that can handle the removal of PHI and other aspects of healthcare reputation management. A provider like Binary Fountain uses both automated and manual processes and filters to ensure that processed information is thoroughly scrubbed of PHI, profanity, tone, etc.
Who within an organization has the responsibility to identify PHI and do something about it?
Most healthcare institutions delegate the responsibility to identify PHI to a security and privacy officer. Ideally, two individuals would fulfill each role, though they may be fulfilled by one person in smaller healthcare centers with fewer resources.
What are the consequences of not handling PHI issues correctly?
There are a number of consequences, both legal and reputation-related, that can result from mishandling PHI. The individual who had his or her PHI leaked must be notified of the breach as soon as possible. For mass breaches, government entities like Health and Human Services (HHS) may have to get involved. The HHS website lists the current ongoing PHI breaches (there are approximately 2,000 open reported cases for public viewing at the moment).
Any covered entity or business associate who ends up on this list may see additional adverse effects on their business and reputation. Patients and physicians may lose trust in a healthcare provider that allowed PHI to enter the public, while providers may not want to associate with a business that leaked PHI or other damaging information. An all-encompassing reputation management strategy is crucial for not only preventing a PHI breach in the first place, but also crafting a proper response to any mistakes on behalf of a healthcare provider.
What are some basic best practices for responding to reviews with PHI?
Patients should be very careful with their PHI and never disclose it publicly or to an entity that lacks the expectation of privacy. However, phishing schemes, nonchalant attitude, and/or outright ignorance leads many people to reveal their PHI openly. This information may end up on a website or social media profile attached to a healthcare provider in the form of a review or comment.
If this occurs, the covered entity or business associate tasked with responding to reviews should seek legal counsel to determine whether or not the comment and their reply constitute as PHI or public information. When responding to a patient review or inquiry via a private channel, the entity must ensure that the proper online safeguards are in place, such as encryption. The more precautions in place, the better, both in terms of legal compliance and reputation management.
About the Author