One of the key aims of the Health Insurance Portability and Accountability Act of 1996 is to ensure that patient privacy is maintained and their private data safeguarded. To do this, the HIPAA Privacy Rule – first enacted in 2002 – defined a set of “Protected Health Information” that was subject to HIPAA protections. But what are examples of Protected Health Information? Why does it need to be protected? And who must protect it?
Under the Privacy Rule, Protected Health Information (PHI) is defined as any oral, written, or electronic information that relates to the past, present, or future health condition of a patient, treatment for that condition, or payment for that treatment. The information is considered to be PHI if it is created, received, or maintained by a HIPAA Covered Entity or their Business Associate.
But what is a Covered Entity? HIPAA defines Covered Entities (or CEs) as a health plan, healthcare provider, or healthcare clearinghouse that transmits data for which there are HIPAA standards. These transactions include the payment of healthcare or the exchange of electronic information.
Business Associates are third parties that have entered into a Business Associate Agreement with a Covered Entity in order to carry out some action relating to PHI.
Any organization that meets the HIPAA definition of a Covered Entity or Business Associate must comply with HIPAA regulations relating to the safeguarding of PHI.
So, now we know who must protect PHI, but what are some examples of it? All demographic information, medical history, diagnoses, insurance data, or financial information that can be used to trace an individual’s identity is protected under HIPAA. That is to say, PHI is individually-identifiable. A patient’s full name, address, or bank account information can all be used to locate a particular individual or to create a false identity that can then be used for criminal purposes. If unauthorized individuals acquire this information, it leaves patients vulnerable to malicious actors.
These pieces of information – names, addresses, etc. – are all examples of HIPAA identifiers. These are 18 different types of data whose presence in health information render it PHI and, therefore, subject to HIPAA protections. The identifiers are as follows:
- Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic images
- Any other characteristic that could uniquely identify the individual
However, it is important to note that there is no limit on how “general” a piece of information is. The email address email@example.com receives equal protection under HIPAA to firstname.lastname@example.org. The reasoning for this is twofold. First, it would be impracticable to distinguish between all kinds of information, and secondly, even if an email, name, or other pieces of data seems generic, it is not that difficult to trace the owner of that information.
However, in a process called “de-identification”, it is possible to remove these identifiers from health information. The data is effectively anonymized, meaning that it is no longer protected by HIPAA.
Some other examples of PHI include prescription information, receipts for payment for treatment, details of health plans, or treatment plans for the future.
When considering “what are examples of Protected Health Information”, you may also think that data collected by personal medical devices counts too. However, generally, the data collected by health apps are not considered to be PHI as a Covered Entity has not generated it. Only if the app developer has entered into a BAA with a CE can the data be protected under HIPAA. Additionally, if the data is handed over by the user to a CE, it may then be considered to be PHI.