Several times each week, we’re presented with a scenario and a bottom-line question: Is “it” Protected Health Information?
Most often, we politely and professionally advise not to split hairs and simply err on the side of treating “it” as if it is PHI. That is, protect it as if it were your own personal, sensitive information. There are many compelling reasons, case studies and OCR enforcement actions to suggest taking a conservative approach. Use this information as a part of your HIPAA Privacy and Security Reminders program.
The longer answer to the question follows below and is based on the specific definitions found at 45 C.F.R. §160.103. There are three critical definitions to consider when determining whether of not the information at hand, “it” is PHI. Think of answeringthe following questions as a bit of a triage process.
First: Is it Health Information?
“Health information means any information, whether oral or recorded in any form or medium, that–
(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and,
(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.” If it is not Health Information to begin with, it is not PHI.
Second, Is it Individually Identifiable Health Information (IIHI)??
“Individually identifiable health information is information that is a subset of health information (see above), and:
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”
If it is not Individually Identifiable Health Information to begin with, it is not PHI. Please recall that HIPAA lists 18 specific identifiers that may be found at 45 C.F.R. §164.514 – Other requirements relating to uses and disclosures of protected health information. Among the 18 specific identifiers, for brevity, the most likely pertinent identifiers are:
- Medical Record Numbers
- Health Plan Beneficiary Numbers
- Account Numbers
- Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) [Re-identification] of this section.
You have to love the last, ever encompassing identifier in the list of 18!
Third and Finally, is the IIHI actually Protected Health Information (PHI)??
“Protected health information means individually identifiable health information:
(1) Except as provided in paragraph (2)* [see below] of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium. [gotta love this one too]
If the information at hand is not Health Information, not Individually Identifiable Health Information and does not meet the final definition of PHI, then it is not PHI.
And, “heads up”, there are some exclusions!
*Protected health information excludes individually identifiable health information in:
i. Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
ii. Records described at 20 U.S.C. 1232g(a)(4)(B)(iv)**;
iii. Employment records held by a covered entity in its role as employer; and,
iv. Regarding a person who has been deceased for more than 50 years.”
At the end of the day, each scenario and information type needs to be carefully considered. Our standing advice remains the same: err on the side of treating the information as personal, sensitive information and safeguard it in a reasonable and appropriate manner.
**(iv) records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.
What Should Your Organization Do?
- Identify all the PHI and “where it lives” in your organization
- Identify all the PHI and “where it lives” outside of your organization
- Create an inventory of all information assets (from above) that create, receive, maintain or transmit PHI
- Complete a thorough, bona fide risk analysis of all ‘information assets’ to ensure that all threats, vulnerabilities and controls have been considered.
What Resources Are Available to You?
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017