PHI Tokenization

Data - PHI Tokenization


Protected Health Information

What is PHI?

Protected Health Information (PHI) is a term broadly used to describe various types of information related to healthcare diagnosis, patient records, and payments. What is unique to this specific data type is that the information is either created or collected by “Covered Entities” – a legal term referring to organizations such as health plans, health care clearinghouses, and health care providers as defined by HIPPA regulations. PHI can also apply to organizations that support Covered Entities. These organizations are contractually obligated through a Business Associate Agreement (BAA). If you are not a Covered Entity or have not signed a BAA, chances are you don’t accept, store, or transmit PHI. However, you may still have Personally Identifiable Information (PII). While similar, they have different regulatory implications.

What are the compliance obligations?

The Final Rule on Security Standards under the Health Insurance Portability and Accountability Act (HIPPA) defines administrative, physical, and technical processes to protect Electronic PHI (EPHI). While there isn’t any specific guidance on how to protect the information, it does layout a framework on the various controls that need to be in place in order to safeguard EPHI. For example, a requirement states that the organization is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. There are many ways an organization can demonstrate adherence to this requirement.

How TokenEx secures PHI

Similar to credit card numbers and PCI requirements, controls concerning EPHI can be addressed strategically by removing the sensitive data. For HIPAA there is a specific term for this process called deidentification. That process removes any personally identifying characteristics of the data rendering it anonymized (deidentified) and thereby lifting protective requirements of EPHI. The challenge with deidentifying the information is similar to the challenges with encryption. The organization that has the keys to either the encryption or to re-identify the information cannot claim that the information has been properly deidentified. So, for example, an organization cannot claim “patient code” as a means to deidentfy EPHI. TokenEx, however, provides the ability for an organization to ensure proper logical segmentation while maintaining data integrity. With TokenEx’s tokenization service, an organization can demonstrate deidentification of EPHI and that it is properly protected, thus reducing risk associated with storing the information and minimizing an organization’s regulatory responsibilities for protecting the data.

Examples of PHI Tokenization

Tokenization can be used to tokenize individually identifiable health information, which is a subset of protected health information, and includes demographic information collected from individuals. This information can include details such as social security number, patient number, and medical images. It can also include non-health data such as IP addresses and postal codes. In some cases, tokenization can be used to tokenize the entire data set. However, unlike credit card financial information, EPHI is very complex and includes many deviations across disparate systems. A risk assessment must be conducted to ensure proper tokenization of the data for valid deidentification.