In businesses subject to the Health Insurance Portability and Accountability Act (HIPAA), individually identifiable health information is often spoken of as Protected Health Information or PHI, but what is considered as PHI under HIPAA?
The HIPAA Privacy Rule considers PHI to be any individually identifiable health information that is created, received, used, maintained, or transmitted in connection with an individual´s health condition, treatment for the health condition, or payment for the treatment.
However, it isn’t just past and present individually identifiable health information that is considered as PHI under HIPAA. Information relating to an individual´s future health, treatment, or payments is also considered as PHI under HIPAA.
What Else is Considered as PHI under HIPAA?
PHI not only includes medical documents, health histories, laboratory test results, medical billing records, etc., but also any information that can be used – either separately or with any other piece of information – to identify the subject of the health information.
While many sources refer to the list of identifiers that have to be removed from a designated record set before any remining health information is no longer Protected Health Information, it is no longer possible to rely on the “18 identifiers” in §164.514 to determine what is considered as PHI under HIPAA.
It is more than twenty years since this list was published – during which time there have been many changes to the ways in which people can be identified. Therefore, if a social media alias that is not a name, but that could be used to identify an individual, this is also considered as PHI under HIPAA and has to be removed from a designated record set.
When is Identifying Information not PHI?
Identifying information is not considered as PHI under HIPAA when it is not maintained or used in conjunction with health information. Therefore, if an individual´s name, address, and telephone number is maintained in a separate database, it does not have the same protections as PHI.
Additionally, as only Covered Entities and Business Associates are required to comply with HIPAA, any identifying information maintained by a business that is not subject to HIPAA (i.e., a vendor of a fitness or weight loss app) is also not considered as PHI – even if it is maintained alongside individually identifiable health information.
However, while any identifying information maintained outside a designated record set or maintained by a business not subject to HIPAA does not have the same protections as PHI, the information may be protected by state privacy laws that stipulate what privacy and security measures must be implemented to safeguard the information.
What is Considered PHI under HIPAA FAQs
What types of future health data are considered PHI under HIPAA?
Whenever any identifying information is associated with – for example – a prognosis, a forthcoming appointment, or a treatment plan, this would be future health data that is considered as PHI under HIPAA.
What does the identifier “dates, but not years” mean?
This means that any date directly related to an individual (birth date, admission date, discharge date, etc.) is considered as PHI under HIPAA except the year. This is because there may be thousands of individuals being admitted or discharged within any given year, so the year itself would not reveal sufficient information about an individual to identify them.
Are there rules about how PHI should be de-identified?
The rules about de-identifying PHI state that any code used to replace the identifiers cannot be derived from information related to the individual as this might enable the individual´s re-identification. For example, an individual’s initials cannot be used to code their data because the initials are derived from their name.
Why are Internet Protocol addresses and website URLs considered PHI?
Internet protocol addresses and website URLs are only considered as PHI under HIPAA if they are maintained in a designated record set and could be used to identify the subject of any health information in the same record set. With regards to why they are considered as PHI under HIPAA –
An Internet Protocol (IP) address is a unique address that identifies a device connected to the Internet or a local network. IP addresses are much like the Internet´s telephone directory inasmuch as they can be used to identify the location of the device and its user. Website URLs use IP addresses to connect users to website domains, so could also be used to locate web servers and their users.
In what “rare circumstances” might HIPAA apply to an employer?
Employers may be subject to “partial” HIPAA compliance if they administer a self-insured health plan or act as an intermediary between employees, healthcare providers, and health plans. In these circumstances, employers are subject to §164.504(f)(2) of the Privacy Rule and are required to provide a certification that PHI will be safeguarded.
Is a date of birth PHI?
A date of birth – by itself – is not PHI because it does not identify the individual to whom the date relates. However, if the date of birth is maintained in a designated record set with other information that can identify the subject of the record set, it becomes PHI and assumes the protections of the Privacy and Security Rule.
Is a phone number PHI?
A phone number maintained in a designated record set with other identifying information is PHI. However, if phone number, a name and other identifying information (address, name of spouse, etc.) is maintained in a database that does not include health information, it is not considered PHI under HIPAA. However, although the phone number is not protected by HIPAA in this example, it may be protected by other privacy and security laws.
Is a patient name alone considered PHI under HIPAA?
No, because a patient name by itself does not reveal any medical, treatment, or payment information. Information like names, addresses, and telephone numbers are information that are usually in the public domain (i.e., via a phone directory) so it would be a waste of resources to protect information that could be found elsewhere – notwithstanding that securing non-PHI behind access controls could hinder the flow of information in a healthcare facility.
Are patient initials considered PHI?
The question of whether patients´ initials are considered PHI under HIPAA is raised more than you might expect due to guidance issued by the Department of Health and Human Services relating to the de-identification of PHI in a designated record set using the safe harbor method.
In the guidance, patients´ initials are mentioned twice – once in the context of disclosing patients´ initials in a de-identified designated record set, and once when fields of unstructured text are derived from the safe harbor listed identifiers in §164.514.
In both cases, the guidance is that the initials should be removed from the designated record set – implying patient initials are considered PHI under HIPAA. However, this only applies when the initials are maintained in a designated record set.
If patient initials are maintained in a data set that does not contain health information (i.e., initials, surname, and telephone number), none of the information in the data set is PHI because they do not relate to the individual´s health information.
Is SSN PHI?
Up until December 2019, social security numbers (SSNs) were considered PHI under HIPAA because they could be used to obtain Medicare benefits. In this respect, SSNs fulfilled the criteria for PHI as they related to the “past, present, or future payment for the provision of health care to an individual.”
From 2016 onward, SSNs have been replaced by Medicare Beneficiary identifiers (MBIs) and can now no longer be used to obtain Medicare benefits. However, in cases where an SSN still exists in an individual´s “designated record set” (typically a group of medical and billing records that also contain individual identifiers), the SSN is still considered PHI under HIPAA because it could be used to identify the individual to whom the medical information in the record set relates.