What are Examples of Protected Health Information?

Examples of Protected Health Information - HIPAAGuide.net

Articles listing examples of protected health information often refer to the list of identifiers that must be removed from a designated record set before any remaining individually identifiable health information in the designated record set is considered de-identified. However, while these identifiers can be examples of protected health information, it is not always the case they are.

What is Protected Health Information under HIPAA?

To answer the question what is Protected Health Information under HIPAA, it is first necessary to consider the definitions of health information, individually identifiable health information, and protected health information in §160.103 of the HIPAA General Provisions. In the order of relevance, these state:

  • Health information is defined as any information created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; that relates to an individual’s health condition, treatment for the health condition, or payment for the treatment.
  • Individually identifiable health information is defined as health information – including demographic information – created or received by a healthcare provider, health plan, employer, or health care clearinghouse that identifies the individual or that can be used (with other information) to identify the individual.
  • The definition of protected health information confirms that individually identifiable health information is protected regardless of format except in certain circumstances – for example, when maintained by an employer in their role as an employer or when covered by the Family Educational Rights and Privacy Act.

What are Designated Record Sets under HIPAA?

Thereafter, it is important to understand the concept of designated record sets – defined in §164.501 of the Privacy Rule as a group of records maintained by or on behalf of a covered entity that includes an individual’s medical and billing records when maintained by a healthcare provider, or an individual’s enrolment, payment, and claims records when maintained by a health plan.

The definition goes on to explain that a designated record set can consist of a single item of protected health information or any grouping of records that includes protected health information. This means a photo of a child on a “baby wall” is a designated record set consisting of one item of protected health information, as the image identifies a past recipient of treatment.

It also means that any identifying information maintained in the same designated record set assumes the same protections as protected health information. So, an email address maintained in the same designated record set as an individual’s treatment information is an example of protected health information and must comply with HIPAA email rules. However, if an individual’s email address is maintained in a separate database that does include protected health information (i.e., an email marketing database), it is not protected.

What are the HIPAA Identifiers?

The HIPAA identifiers are a list of identifiers that must be removed from a designated record set before any information remaining in the designated record set is considered de-identified under the safe harbor method (§164.514). Once de-identified, the remaining information is not protected and can be disclosed without the need to enter into a Business Associate Agreement.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

While the list of HIPAA identifiers can be examples of protected health information when they are maintained in the same designated record set as information relating to an individual’s health condition, treatment for the health condition, or payment for the treatment, if they are not maintained in the same designated record set, the identifiers are not individually identifiable health information and do not qualify as examples of protected health information.

An example of when identifiers may not be included in a designated record set is if a hospital has special parking arrangements for certain patients. To ensure the parking arrangements are not misused, the hospital may maintain a separate database containing individuals’ names, phone numbers, email addresses, vehicle license plate numbers, and facial images – all of which would be examples of protected health information if they were maintained in a designated record set. However, in this case they are not in a designated record set, so are not examples of protected health information.

Examples of Protected Health Information Not Listed as Identifiers

Whereas the list of HIPAA identifiers in §164.514 may or may not contain examples of protected health information depending on where the identifiers are maintained, it is also important to remember that the list was compiled more than quarter of a century ago – since when there are more ways in which individuals can be identified. When these newer methods of identification are maintained in a designated record set with health information, they are also examples of protected health information.

Newer examples of protected health information (when maintained in a designated record set) include Medicare beneficiary numbers and social media aliases. Although these might be acknowledged as examples of protected health information under Section R of §164.514 (“any other unique identifying number, characteristic, or code”), examples of protected health information that would not fall under this section include emotional support animals and third parties involved in an individual’s care that are not relatives or household members.

It is important that covered entities and business associates know what protected health information is under HIPAA, understand the concept of designated record sets, and recognize when identifying information is not protected in order to pass this information onto members of the workforce in HIPAA training. The consequences of an ill-informed workforce can vary from operational inefficiencies to avoidable HIPAA violations. Any covered entity or business associate experiencing difficulties in providing examples of protected health information to members of the workforce should seek professional compliance advice.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/