What is Considered Protected Health Information?
Protected Health Information (PHI) refers to any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate in relation to providing healthcare services. According to HIPAA (Health Insurance Portability and Accountability Act) regulations, PHI includes the following:
- Patient Names: Full names, initials, or any other information that can identify an individual.
- Contact Information: Addresses, phone numbers, email addresses, and fax numbers.
- Dates: Dates of birth, admission, discharge, and other dates related to an individual’s healthcare.
- Social Security Numbers: Social Security numbers or any other government-issued identification numbers.
- Medical Records: Medical histories, diagnoses, treatment information, and information related to the provision of healthcare.
- Health Insurance Information: Insurance policy numbers, claim information, and coverage details.
- Payment Information: Billing records, payment records, and any other financial information related to healthcare services.
- Genetic Information: Information about an individual’s genetic testing or genetic predisposition to a health condition.
It is important to note that PHI can be in any form, including electronic, paper, or oral, and it applies to both past and present information. The privacy and security of PHI are protected under HIPAA, and healthcare entities and professionals must ensure its confidentiality and take appropriate measures to safeguard it.
If an organization is subject to the HIPAA, it is important to know what is considered Protected Health Information under HIPAA in order to prevent impermissible uses and disclosures and operational inefficiencies.
How Protected Health Information Was Designated
HIPAA is a law passed in 1996 with the primary objective of improving the portability of health insurance between jobs and prohibiting health insurance companies from discriminating against employees with preexisting conditions. The measures incurred costs for the health insurance companies, which Congress feared would be passed on to employers and plan members via higher premiums and/or higher deductibles.
To address this issue, Congress took steps to reduce health insurance companies´ costs by tackling health insurance fraud and making the claims process more efficient. In order to make the claims process more efficient, Congress instructed the Secretary for Health and Human Services to develop standard transaction formats, introduce measures to safeguard the security of electronic transactions, and protect the privacy of individually identifiable health information.
The instruction led to the development of the Administrative Simplification provisions – a set of Rules that governs transactions between health insurance companies, healthcare providers, and health care clearinghouses. The General Administrative Requirements of the provisions define what Protected Health Information is, while the Privacy Rule within the Administrative Simplification provisions stipulates how Protected Health Information must be protected.
How Protected Health Information is Defined
The definition provided by the General Administrative Requirements states Protected Health Information is individually identifiable health information “transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”; so, to get a clearer picture of what is considered Protected Health Information, it is necessary to look at the definition of individually identifiable health information:
“Information […] collected from an individual […] that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care; and that identifies the individual or […] can be used to identify the individual.” Therefore, when this information is transmitted or maintained by a HIPAA Covered Entity it becomes Protected Health Information.
Protected Health Information can only be used or disclosed for required, permitted, or authorized purposes as stipulated by the Privacy Rule. It must also be maintained in a designated record set so it can be reviewed by the subject of the information (i.e., a patient of health plan member) for omissions and inaccuracies. Additionally, Covered Entities are required to maintain an accounting of disclosures that can be requested at any time by the subject of the information.
What is Not Considered Protected Health Information
In addition to the subject´s individually identifiable health information, any other information in the same designated record set that could be used – either separately or together with other information – to identify the subject of the health information is also protected. §164.514 of the Privacy Rule lists 18 identifiers (name, address, phone number, etc.) that are classified as Protected Health Information if they are maintained in the same designated record set as health information.
However, when these – or any other identifiers – are not maintained in a designated record set, they are not considered Protected Health Information under HIPAA. For example, if the name and telephone number of a patient´s next of kin is maintained in a separate database, it is not considered Protected Health Information under HIPAA even though it would be if included in the same designated record set as the patient´s health information.
This distinction is important because by over-protecting non-health related information, Covered Entities can experience operational inefficiencies. If, for example, a nursing assistant wanted to contact the next of kin but did not have the credentials to access the designated record set, the nursing assistant would have to contact a colleague with the necessary credentials to access the information – not only creating a delay, but also wasting resources.
However, not only is it important for Covered Entities to understand what is considered Protected Health Information and what is not, but also that this knowledge is passed onto members of the workforce via HIPAA training and patients/plan members via a Notice of Privacy Practices. When members of the workforce and patients/plan members understand what information is protected, it will reduce the number of unnecessary complaints while maintaining operational efficiency.
Examples of Protected Health Information
Some of the commonly recognized protected health information (PHI) identifiers include:
- Names: Full names, initials, nicknames, or any other information that can identify an individual.
- Addresses: Home addresses, email addresses, and any other location-related information.
- Dates: Dates of birth, admission, discharge, and other dates related to an individual’s healthcare.
- Telephone Numbers: Phone numbers, including home, work, mobile, or any other contact numbers.
- Fax Numbers: Fax numbers associated with healthcare-related communication.
- Social Security Numbers: Social Security numbers or any other government-issued identification numbers.
- Medical Record Numbers: Unique identifiers assigned to individuals’ medical records.
- Health Plan Beneficiary Numbers: Numbers assigned by health insurance plans to identify beneficiaries.
- Account Numbers: Account numbers associated with healthcare services or payments.
- Certificate/License Numbers: License or certificate numbers assigned to healthcare professionals or facilities.
- Vehicle Identification Numbers (VIN): Unique identification numbers associated with vehicles used for healthcare purposes.
- Device Identifiers: Unique identifiers assigned to medical devices, equipment, or implants.
- Biometric Identifiers: Biometric data such as fingerprints, retinal scans, or voiceprints.
- Web Universal Resource Locators (URLs): URLs associated with healthcare-related websites or portals.
- IP Addresses: Internet Protocol (IP) addresses associated with electronic communications or devices.
- Geographic Identifiers: Geographic information such as city, state, or ZIP code.
- Account Numbers: Financial account numbers used for billing or payment purposes.
- Any Other Unique Identifying Number, Characteristic, or Code: Any other specific identifier that can be used to identify an individual.
The Importance of Protected Health Information
The protection of Protected Health Information is crucial to maintain patient privacy, prevent unauthorized access, and safeguard sensitive health information from misuse or breaches. Covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, are required to implement comprehensive security measures and protocols to ensure the confidentiality, integrity, and availability of PHI. Failure to comply with HIPAA regulations can lead to penalties, fines, and reputational damage.
Individuals have rights over their Protected Health Information, including the right to access, amend, and request restrictions on its use and disclosure. Covered entities must obtain patient consent or comply with specific exceptions and requirements before using or disclosing Protected Health Information. Additionally, covered entities are required to provide individuals with notices explaining their privacy practices and rights related to their Protected Health Information.