The latest article in our HIPAA basics series answers the question what is protected health information?
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information, but what is protected health information?
First, it is worthwhile explaining two other important terms detailed in HIPAA regulations: A covered entity and a business associate. A covered entity is a healthcare provider, health plan, or healthcare clearinghouse which transmits health data electronically for transactions that the U.S. Department of Health and Human Services has adopted standards. A business associate is an organization or individual who performs services on behalf of a HIPAA-covered entity that requires access to, or the use of, protected health information.
What is Protected Health Information?
Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services. Protected health information is often shortened to PHI, or in the case of electronic health information, ePHI.
HIPAA Protected Health Information Definition
Protected health information “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” that is:
- Transmitted by electronic media;
- Maintained in electronic media; or
- Transmitted or maintained in any other form or medium.
Protected Health Information Includes…
Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage. ‘Protected’ means the information is protected under the HIPAA Privacy Rule.
Protected health information is defined in the Code of Federal Regulations and applies to health records, but not education records which are covered by other federal regulations, and neither records held by a HIPAA-covered entity related to its role as an employer. In the case of an employee-patient, protected health information does not include information held on the employee by a covered entity in its role as an employer, only in its role as a healthcare provider.
PHI does not include individually identifiable health information of persons who have been deceased for more than 50 years.
What is Individually Identifiable Health Information?
When individually identifiable information is used by a HIPAA covered entity or business associate in relation to healthcare services or payment it is classed as protected health information.
There are 18 identifiers that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is considered identifiable. If PHI has all of these identifiers removed, it is no longer considered to be protected health information. (see de-identification of protected health information)
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
PHI Health Apps
There is some confusion around PHI and health apps as they often collect information that is classed as PHI when it is recorded or used by a healthcare provider. Health apps record information such as heart rate data and the data include personal identifiers. However, the data collected by these apps and trackers is not always covered by HIPAA Rules. App developers can be business associates, but in the most part they are not.
If a HIPAA covered entity develops a health app for use by patients or plan members and it collects, uses, stores, or transmits protected health information, the information must be protected in line with HIPAA Rules.
If a physician recommends a PHI health app be used by a patient, such as for tracking BMI or heart rate data, the information is not subject to HIPAA Rules as the app was not created for the physician.
A third-party health app developer would be classed as a business associate, and required to comply with HIPAA, if the app has been created for a HIPAA-covered entity and it collects, uses, stores, or transmits identifiable health information or if the developer is contracted with a HIPAA-covered entity to provide health monitoring services via the app.
PHI health app guidance was issued by OCR in 2016 and can be viewed on this link (PDF).
PHI Information Technology
The HIPAA Security Rule requires safeguards to be implemented by HIPAA-covered entities and their business associates to protect PHI that is created, used, received, stored, or transmitted in electronic format. Administrative, physical, and technical controls must be implemented to ensure the confidentiality, integrity, and availability of ePHI.
Failures to protect ePHI and subsequent privacy violations can result in significant fines, although since there is no private cause of action in HIPAA, patients affected by data breaches cannot sue HIPAA covered entities for the exposure, theft, or impermissible disclosure of their PHI.
The HIPAA Privacy Rules stipulates allowable uses and disclosures of PHI and gives patients the right to obtain a copy of the PHI that is held by their healthcare providers. HealthIT can be used to help patients access their PHI. Many healthcare providers now allow patients to access some or all of their health information via patient portals. If only partial information is available through a patient portal, patients can still exercise their right to obtain all PHI in a designated record set held by their healthcare providers by submitting a request in writing.
Would patient information such as “Mrs. Green from Miami” be considered PHI?
Although there could be thousands of Mrs. Greens in Miami, there is likely to be fewer Mrs. Kawtowskis in Maryland. As it would be impractical for HIPAA to stipulate there has to be fewer than so many “Mrs. As” in a population of “B” before the two identifiers combined are considered to be PHI, all combinations of identifiers are consider PHI under HIPAA – even “Mrs. Green from Miami”.
What are allowable uses and disclosures of PHI?
Without an authorization from the patient, a covered entity is only allowed to use and disclose a patient´s PHI for its own treatment, payment, and health care operations. A covered entity can also disclose the patient´s PHI to a business associate provided both the covered entity and the business associated have signed a HIPAA-compliant business associate agreement.
What are incidental uses and disclosures of PHI?
Incidental uses and disclosures of PHI are those that occur accidentally as a by-product of another allowable use or disclosure. Provided the covered entity or business associate has applied reasonable safeguards and implemented the minimum necessary standard with respect to the primary use or disclosure, there is no violation of HIPAA.
Can you provide an example of an incidental disclosure?
An example of an incidental disclosure is when an employee of a business associate walks into a covered entity´s facility and recognizes a patient in the waiting room. Although the business associate does not need to know the identity of any patients at the covered entity´s facility, the business associate has a compliant business associate agreement in place and is visiting the facility to carry out work described in the agreement. Therefore the disclosure of PHI is incidental to the compliant work being done.
Would a personal wearable device such as a step counter be considered a PHI health app?
Unless the personal wearable device collects, uses, and/or stores data, and that data is transmitted to – or downloaded at – a physician´s office or healthcare facility, the device is not a PHI health app. So, in most cases, a wearable step counter would not be considered a PHI health app provided it is used for personal use only.