Due to the complexity of the HIPAA Privacy Rule, it can sometimes be difficult to find an accurate answer to the question what is defined as PHI under HIPAA. This article explains not only what Protected Health Information (PHI) is, but why it is importantly to fully understand the term´s meaning.
Protected Health Information (PHI) is a term frequently used when discussing HIPAA compliance. Yet it appears not everybody understands what is defined as PHI under HIPAA judging by online sources that confuse PHI with “HIPAA identifiers” – the information that should be removed from a designated record set before any remaining information is de-identified.
However, it is important covered entities, business associates, and workforces in the healthcare and health insurance industries know what is defined as PHI under HIPAA in order to comply with the Privacy Rule standards for permissible uses and disclosures, respond to individuals´ access requests, and notify HHS´ Office of Civil Rights of breaches of unsecured PHI.
What Is Protected Health Information?
To answer the question what is defined as PHI under HIPAA it is necessary to work backward through the definitions section of the Administrative Simplification Regulation (§160.103). This is because Protected Health Information is defined in the Regulation as “individually identifiable health information […] transmitted by or maintained in electronic media or any other form or medium.”
So, what is “individually identifiable health information”? Individually identifiable health information is defined in §160.103 as “a subset of health information […] collected from an individual […] that relates to:
- The past, present, or future physical or mental condition of an individual,
- Or the provision of health care to an individual,
- Or the past, present, or future payment for the provision of health care to an individual,
- THAT identifies the individual or can be used to identify the individual.
The definition of “health information” in §160.103 is similar to that of individually identifiable health information inasmuch as “health information” relates to the past, present, or future condition of a (non-identified) patient, treatment for the condition, or payment for the treatment. However, health information can be “oral or recorded in any form or medium.” Therefore:
- The diagnosis of “a sprained wrist” is health information.
- “Mr. Doe has a sprained wrist” is individually identifiable health information.
- When the words “Mr. Doe has a sprained wrist” are communicated orally, written down, or (for example) entered into an EHR, the diagnosis becomes Protected Health Information.
Designated Record Sets and PHI under HIPAA
One of the reasons it can sometimes be difficult to find an accurate definition of PHI under HIPAA is because many sources of information omit to mention designated record sets – groups of medical and/or billing records maintained by or on behalf of a covered entity that are used in whole or in part to make decisions about individuals.
At this stage it is important to be aware that an individual patient or plan member can have multiple designated record sets – some of which many only include one item of individually identifiable health information. For example, a photograph of a newborn infant on a pediatrician´s “baby wall” is a single item designated record set.
When individually identifiable health information is “maintained in electronic media or any other form or medium” in a designated record set by a HIPAA covered entity or business associate it is automatically PHI. Additionally, every other item of information maintained in the same designated record set assumes the same “protected” status.
In the case of Mr. Doe having a sprained wrist, if his address, phone number, and wife´s name are maintained in the same designated record set, these items of information assume the same protected status as the diagnoses of the injury, even though – taken out of context – the information is not relevant to Mr. Doe´s injury, treatment for the injury, or payment for the treatment.
What Are HIPAA Identifiers?
It was mentioned in the introduction to this article that some online sources confuse the definition of PHI under HIPAA with “HIPAA identifiers”. But what are HIPAA identifiers? These are any items of information that identify an individual or that can be used to identify an individual when they are maintained in the same designated record set as the individual´s PHI.
Returning to Mr. Doe, his phone number, address, and wife´s name are HIPAA identifiers all the time they are maintained in a designated record set pertaining to Mr. Doe. If they are maintained separately from his PHI, they no longer have “protected” status under HIPAA – although other state privacy and security laws may apply.
One of the issues with explaining what is defined as PHI under HIPAA is that many sources believe there are only 18 HIPAA identifiers (as listed in §164.514 of the Privacy Rule). However, it is important to remember that the Privacy Rule was published more than twenty years ago – since when, there are several more ways an individual might be identified.
For example, when the Privacy Rule was published, social media did not exist. But, if an individual has exercised their right to choose how they would like to be contacted, it is possible that a social media handle could exist within their designated record set. If so, this “identifier” assumes a protected status and should be removed before a designated record set can be considered deidentified.
The Importance of Understanding What is Defined as PHI under HIPAA
It was also mentioned above it is important covered entities, business associates, and workforces know what is defined as PHI under HIPAA in order to comply with the Privacy Rule standards for permissible uses and disclosures, respond to individuals´ access requests, and notify HHS´ Office of Civil Rights of breaches of unsecured PHI. The reason why it is important to fully understand the term´s meaning is that:
- By protecting more than the necessary information, organizations can obstruct the flow of information and introduce inefficiencies into operations.
- Not knowing that individuals may have more than one designated record set – or not knowing where the record sets are – can delay responses to access requests.
- Notifying HHS´ Office for Civil Rights of data breaches that do not involve PHI could waste the organization´s time if HHS decides to investigate.
With regards to the final bullet point, the Breach Notification Rule also requires covered entities to notify affected individuals when a breach of unsecured PHI occurs. Notifying an individual when only individually identifiable non-health information has been disclosed could worry them unnecessarily and may damage the organization´s reputation unnecessarily.
There are multiple reasons why organizations subject to the HIPAA Privacy, Security, and Breach Notification Rules know what is defined as PHI under HIPAA and pass that knowledge onto patients and plan members when required. If you encounter issues understanding what PHI is, applying your knowledge in HIPAA compliant policies, or conveying your knowledge to members of the workforce, you are advised to seek expert compliance advice.
What is Defined as PHI under HIPAA? FAQs
Is orally communicated health information PHI?
Technically, orally communicated health information is not PHI unless it is recorded. Then the recording of the communication becomes PHI. However, oral communications are still governed by the permissible uses and disclosures and the Minimum Necessary standards of the Privacy Rule, and complaints have been made to HHS´ Office for Civil Rights about oral violations of HIPAA.
How many HIPAA identifiers are there now?
The Department of Health & Human Services has not provided any recent guidance relating to HIPAA identifiers. However, other non-health related information that could be maintained in a designated record set might include details of an emotional support animal. If the subject of the record set could be identified by the emotional support animal, this information also assumes protected status.
Why should patients know what is defined as PHI under HIPAA?
It can help to let your patients or plan members know that not every item of information collected by an organization necessarily assumes protected status. For example, a name, address, and telephone number maintained in a directory and separated from any health information is not protected. If this information was disclosed, it would not be a violation of HIPAA.
How can future information about a patient be protected?
“Future” information can relate to (for example) post-operative care plans or the future long term deterioration of a condition – information that could be used to commit identity theft and insurance fraud if it were to be acquired by an unauthorized individual who could monetize the information. This is why it has the same protections as past and present information.
Why might protecting more than the necessary information introduce inefficiencies?
Information that does not qualify as PHI may be used by some members of the workforce to fulfil non-healthcare roles (i.e., marketing, transport, admin teams, etc.). However, members of the workforce must be assigned access permissions for the level of access required to fulfil their roles. You cannot assign top level access to every member of the workforce.
Therefore, if a member of the marketing team requires access to a patient’s telephone number, but does not have sufficient permissions to access the telephone, they will have to interrupt another member of the workforce with sufficient permissions to obtain the telephone number. The alternative is that the member of the marketing team uses somebody else’s access credentials – which violates the Security Rule.
How is an allowable disclosure of PHI different to an incidental disclosure?
When it comes to treatment, payment, and health care operations, covered entities are permitted to share PHI. An incidental disclosure is a secondary, accidental disclosure that cannot reasonably be stopped, is restricted in nature, and happened due to another disclosure allowed under the Privacy Rule.
Can email addresses that do not include a person’s name be considered as identifiers for PHI purposes?
With a little bit of work it can be possible to discover who owns an email address that does not include an actual name. This can be done using social media or through the use of a reverse email lookup tool on the Internet. While either option may not provide you with the individual’s name, you will still be able to discover enough information in relation to the individual for that information to be classified as PHI.
Can you gauge what is a reasonably anticipated threat to PHI ?
All covered entities and business associates must carry out regular risk analyses in order to discover threats to PHI. By completing this covered entities will be in a position to ascertain potential threats. This will also allow for these reasonably anticipated threats to be planned for.
How are PII, PHI, and IIHA different?
Simply put, Personally Identifiable Information (PII) refers to identifying data used outside a healthcare context, while PHI (Protected Health Information) and IIHA (Individually Identifiable Health Information) is the same information used in the healthcare sector.
Conclusion
Covered Entities are legally obliged, under HIPAA, to ensure that PHI is always handled in a compliant manner. If you are worried that individuals within your organization are unsure about the allowable uses and disclosures of PHI and how that information must be protected, then the best course of action is to arrange a refresher HIPAA training session as soon as possible.
Video Training
Engaging Content
Perfect Refresher
Flexible/Convenient
Self-paced Learning
Multi-Choice Testing
Free Trial
HIPAA
Training for
Healthcare
Staff