How to resolve PII & PHI issues when you distribute reports

Posted by on | Featured

Post header image: a middle-age white male typing on a calculator and writing on paper with his other hand
When you’re reviewing important reports, keeping the information in them 100 percent secure might not be at the top of your list.

That’s not to say client or patient privacy isn’t important to you. Of course it is.

But on a day-to-day basis, most of your attention is on completing your task with the report. Then, you’ll either cue the next person in your workflow, store the report, or destroy the report.

Maybe you’re handling:

  • Purchase orders
  • Contracts
  • Invoices
  • Annual reports
  • Earnings reports
  • Vouchers
  • Explanations of payment (EOPs)
  • Explanations of benefits (EOBs)

All of these can have any number of identifiers that qualify as personally identifiable information (PII) or protected health information (PHI).

Keep reading to learn about 4 ways you can safeguard PII and PHI in your report and document management processes. 

1. Know when you’re handling PII and PHI

In the reports you handle regularly, can you identify exactly which information is PII or PHI?

If you don’t even know what or where it is, you won’t do a very good job at protecting it.

PII like name, email, phone number, and address are considered public. While you shouldn’t share this information with everyone including your grandma, you don’t need to safeguard it as closely as more sensitive PII.

Examples of sensitive PII: 1. Stand-alone identifiers that are sensitive include social security numbers, driver’s license or state ID numbers, passport numbers, and credit card numbers. 2. Identifiers that are sensitive when they’re paired with another identifier include citizenship or immigration status, sexual orientation, account passwords, and the last 4 digits of social security numbers.

Information considered PHI is a little more broad.

Examples include:

1. Names 2. Geographic subdivisions smaller than state--except for the first 3 digits of zip codes, given 1. The combined population for zip codes with the same first 3 digits over 20,000 AND 2. The first 3 digits of zip codes with combined populations under 20,000 is replaced with 000--until the 2010 census data is released, these 17 restricted zip codes are: 036, 059, 063, 102, 203, 556, 692, 790, 821, 823, 830, 831, 878, 879, 884, 890, and 893 3. Dates directly related to the individual (e.g., birthday, death date, or admission date) 4. Telephone numbers 5. Fax numbers 6. Email addresses 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers 13. Device identifiers and serial numbers 14. URLs 15. IP addresses 16. Biometric identifiers 17. Full-face photos and comparable images 18. Any other unique identifying number, characteristic, or code

The first step to protecting PII and PHI is knowing where you have it.

2. Address security threats you didn’t realize existed

Moving past environmental hazards and natural disasters, there are many ways PII and PHI could be unnecessarily exposed in your day-to-day routine.

Remember, many of the guidelines for protecting PII and PHI are intentionally vague. The biggest guideline is this: You need to do everything reasonable and appropriate to keep PII and PHI safe.

Regardless of whether the wrong people who see PII and PHI use it for ill, it’s still considered a breach because there is a potential that it could be used for ill.

In your office alone, 6 of the biggest threats to PII and PHI are:

  • Prying eyes
  • Abandoned computers
  • Unattended printers
  • Unprotected attachments
  • Unlocked filing cabinets
  • Poor disposal

For a more in-depth analysis of each of these threats, check out our blog post about 6 of the biggest internal security threats in your report management process—and how you can solve them quickly.

You need to do everything reasonable and appropriate to keep PII and PHI safe.

3. Redact unnecessary PII and PHI

Removing PII and PHI from reports could be the solution you’re looking for.

Here are a few scenarios where redaction could save the day:

  • You can’t give every employee a privacy screen and private office to protect PII and PHI from prying eyes. Before employees view any reports, assess which—if any—PII and PHI needs to remain for them to complete their tasks efficiently and accurately. Redact the information they don’t need to see and you’ll also prevent others from seeing it secondhand.
  • To verify they’ve received the right invoice, your patients’  invoices display their Social Security number, birthday, and account number. Employees who format and verify the invoices before sending them to patients only need to see the account numbers. You can reduce unnecessary exposure to PHI by temporarily redacting patients’ SSNs and birthdays.

The key to redaction is determining exactly which information is necessary and which information is excess. On first glance, it might seem like employees need to see certain PII and PHI. But maybe that’s just because that’s how they’ve always done it.

More than likely, there will be a learning curve when you start redacting information. It can be disorienting to see black boxes where normal text used to be. But the added security you get is absolutely worth it.

If you want concrete tips on redacting sensitive information like PII and PHI, check out our blog post that outlines what redaction is, why you need it, and how to start it.

The key to redaction is determining exactly which PII and PHI is necessary and which is excess.

4. Change how you distribute reports

Okay, so you . . .

  1. Know what PII and PHI you handle
  2. Resolved internal security threats like prying eyes
  3. Redacted as much data as possible

But you might still be risking private client information.

If your distribution process itself is flawed, no amount of awareness, safeguarding, and redaction will solve the issue.

We’ve talked before about how unreliable mail and email are for document management and distribution.

Once you realize that your report management pipeline itself is putting PII and PHI at risk, you’ll want to find a better way to share documents with clients and other employees.

Instead of trying to fix a flawed system, replace it. Mail and email might never be entirely secure when it comes to safeguarding client PII and PHI. Automating document distribution and management removes the human factor and resolves the biggest security risks native to mail and email.

Mail and email have native security risks that endanger PII and PHI.

 

Next steps

Here’s what we’ve learned about resolving PII and PHI issues when you manage reports:

  1. Know what PII and PHI are in your reports and documents
  2. Resolve everyday internal security threats
  3. Redact as much data as possible for each person viewing a report
  4. Change how you distribute reports

If you’re tired of second-guessing your attempts to protect PII and PHI, check out our free guide on 8 of the best benefits of automating report management.

And don’t forget, you can always use the form in the top right to contact us with any questions you have. We’re happy to help, and we love chatting with people like you!

Comments are closed.