HIPAA Meaning of Protected Health Information

By | January 12, 2023

According to HHS’ Enforcement Highlights web page, the most common issue alleged in complaints to the Office for Civil Rights (OCR) is impermissible uses and disclosures of Protected Health Information. This is often interpreted as a failure to understand which uses and disclosures are permissible without patient authorizations; however, it could be just as likely there is a failure to understand the HIPAA meaning of Protected Health Information.

One possible reason for misunderstanding the HIPAA meaning is that the term “Protected Health Information” does not appear in the original text of HIPAA. Furthermore, rather than appearing at the start of the Privacy Rule, the HIPAA meaning of Protected Health Information is defined at the start of the Administrative Simplification General Rules (§160.103). The definition – abridged for clarity – reads:

“Protected Health Information means individually identifiable health information […] that is (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.”

This definition applies to all individually identifiable health information collected, received, maintained, or transmitted by a HIPAA Covered Entity or a Business Associate providing a service to or on behalf of a Covered Entity or other Business Associate. However, there are some exceptions.

Students’ medical records maintained by an educational institution (that qualifies as both a FERPA-defined educational institution and a HIPAA-defined Covered Entity) are excluded from the HIPAA meaning of Protected Health Information because they are part of student educational records.

Individually identifiable health information maintained by a Covered Entity in its role as an employer (i.e., workplace injury reports, etc.) is also excluded from the HIPAA meaning of Protected Health Information, as is information relating to individuals who have been deceased for more than 50 years.

The HIPAA Meaning of Individually Identifiable Health Information

It can be difficult to fully understand the HIPAA meaning of Protected Health Information without understanding the HIPAA meaning of individually identifiable health information – defined in the Administrative Simplification General Rules as a subset of health information created or received by a health care provider, health plan, employer, or health care clearinghouse that:

  • Relates to the past, present, or future physical or mental health or condition of an individual,
  • the provision of health care to an individual; or
  • the past, present, or future payment for the provision of health care to an individual; and
  • that identifies the individual or could be used to identify the individual.

This definition raises several issues because not all healthcare providers or insurance companies that provide health benefits are Covered Entities, employers are generally not regarded as Covered Entities – but can be in some circumstances – and whereas the definition of Protected Health Information (above) applies to Business Associates, they are not mentioned in this definition.

With regards to the applicability of this definition to Business Associates, this is covered in §160.102 of the General Rules, in which paragraph (b) states: “Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a Business Associate” – “this subchapter” meaning the Administrative Simplification Regulations Parts 160,162, and 164.

The issues relating to which organizations qualify as Covered Entities, Partial Entities, Hybrid Entities, and Affiliated Entities are discussed in our article explaining the HIPAA definition of a Covered Entity. However, while qualification issues may be confusing for some, the biggest challenge to understanding the HIPAA meaning of Protected Health Information is what constitutes health information that is individually identifiable.

What Constitutes Health Information that is Individually Identifiable?

One of the reasons why challenges exist in understanding the HIPAA meaning of Protected Health Information is that several online sources have conflated the definition of Protected Health Information with “the 18 HIPAA identifiers”. It is important to be aware that the two are very different, and that relying on the 18 HIPAA identifiers to determine what Protected Health Information is could explain why so many complaints allege impermissible uses and disclosures of Protected Health Information.

Assuming the definition of health information is understood (“relates to the past, present, or future physical or mental health” etc.), individually identifiable health information is any information maintained in the same designated record set as health information that can – or that could be used to – identify the subject of the health information. Importantly, once in a designated record set, identifying information does not have to be attached to health information to be protected.

For example, if a designated record set contains:

  • An x-ray of a broken arm referencing the patient
  • The patient’s date of birth
  • The patient’s contact details
  • The patient’s payment details

While in the same designated record set, all four items are Protected Health Information – the x-ray of the broken arm and the patient’s payment details because they are items of information that relate to the patient’s health and payment for treatment, and the other two items because they are maintained in the same designated record set as the health and payment information.

If the names, birth dates, and contact details of patients are maintained in a separate record set or database that does not contain health and/or payment information, these items of information may not be protected health information; however, as previously stated, individually identifiable information must be protected if it relates to the past, present, or future physical or mental health of an individual. If names, birth dates, and contact details are collected, stored, and maintained by a healthcare provider, it could indicate the status of an individual as a patient, either in the past, present, or future, and patient status is protected health information. OCR recently confirmed this in its guidance on website tracking technologies.

More about Designated Record Sets and HIPAA Identifiers

As well as understanding the HIPAA meaning of Protected Health Information it is important for Covered Entities and their workforces to understand the concept of designated record sets. This is because a single Covered Entity can maintain multiple designated record sets about the same individual – who has the right to request copies of all information maintained about them and an accounting of disclosures from all designated record sets.

Knowing where Protected Health Information is maintained is one reason why it is important to conduct an audit of all Protected Health Information collected, received, maintained, or transmitted by the organization. An audit not only helps compliance officers develop policies and procedures to protect the privacy and security of Protected Health Information, but also identifies where it is maintained to accelerate responses to patient requests for copies and accountings of disclosures.

With regards to the 18 HIPAA identifiers, these are the types of identifying information that have to be removed from a designated record set before any health information remaining in the designated record set is no longer Protected Health Information under the safe harbor deidentification method (§164.514). Importantly, these types of identifiers only relate to de-identifying designated record sets. They have nothing to do with the HIPAA meaning of Protected Health Information.

It is also important to be aware the list of 18 HIPAA identifiers is more than twenty years old. Since its publication, many more types of information can be included in a designated record set that could identify – or be used to identify – an individual. For example, Medicare Beneficiary Identifiers are not included in the list, nor are emotional support animals, nor are social media handles. These identifiers should also be removed from a designated record set before it is de-identified.

What Else is Important to Know about the HIPAA Meaning?

Returning to HHS’ Enforcement Highlights web page mentioned at the beginning of this article, the most common reason for complaints being rejected by OCR is the complaints allege a violation committed by an entity that is not covered by HIPAA.

This implies that not only might there be a failure to understand the HIPAA meaning of Protected Health Information, but also the HIPAA definition of a Covered Entity. For this reason, we have published a separate article explaining who is – and who isn’t – a HIPAA Covered Entity.

In conclusion, understanding the HIPAA meaning of Protected Health Information, individually identifiable health information, and designated record sets can be confusing – notwithstanding that, although identifying information maintained outside a designated record set is not protected by HIPAA, it may be protected by a state’s privacy or security regulations.

Privacy and Security Officers who are unsure of the distinction between Protected Health Information and the 18 HIPAA identifiers, what information needs to be removed from a designated record set before it is de-identified, or when identifying information is not Protected Health Information, should seek expert advice from a compliance professional.

The post HIPAA Meaning of Protected Health Information appeared first on HIPAA Journal.