Protected Health Information according to HIPAA is individually identifiable health information collected, received, maintained, or transmitted by a HIPAA Covered Entity or Business Associate that:
- Relates to the past, present, or future physical or mental health or condition of an individual,
- Or the provision of health care to an individual,
- Or the past, present, or future payment for the provision of health care to an individual,
- AND that identifies the individual or can be used to identify the individual.
It does not matter how Protected Health Information is collected, received, maintained, or transmitted. It is Protected Health Information according to HIPAA if it is spoken, written on a piece of paper, or typed into an EHR. This is why a medical professional can violate HIPAA by disclosing more than the minimum necessary PHI when speaking out loud in a hospital waiting room.
How Health Information is Protected by HIPAA
Health information that relates to an individual´s condition, treatment for the condition, or payment for the treatment is usually maintained in one or more “designated record sets”. Information maintained in a designate record set can only be disclosed to a third party for “permissible uses and disclosures” as defined in the HIPAA Privacy Rule.
Other than for permissible uses and disclosures, HIPAA Covered Entities and Business Associates are not allowed to use or disclose Protected Health Information without a written authorization unless the information is disclosed to the subject of the information, the subject´s personal representative (i.e., a parent) or to HHS´ Office for Civil Rights.
Individuals can check that a healthcare organization or health plan is complying with the rules for uses and disclosures by requesting an “accounting of disclosures” that – with certain exceptions – should contain a record of all disclosures for the previous six years. The exceptions to the accounting of disclosures standard can be found in §164.528 of the HIPAA Privacy Rule.
What Other Information is Protected by HIPAA?
Designated record sets usually contain more than health information. In most cases they contain information that can be used by itself or with other information to identify who the designated record set refers to. For example, most designated records sets will include the individual´s name, address, and date of birth – information that is not protected in the public domain.
However, when non-health information (such as name, address, and date of birth) is included in a designated record set, the non-health information assumes the same protected status as the individual´s health information. This can apply to any non-health information included in a designated record set that could be used to identify an individual.
A number of sources refer to non-health information protected by HIPAA as the “18 HIPAA identifiers” (as listed in 164.514 of the HIPAA Privacy Rule). However, since this list was published, there are now more than 18 ways to identify an individual – for example, a patient may have an emotional support animal whose details are recorded in the designated record set.
Therefore, Covered Entities and Business Associates not only need to know what is regarded as Protected Health Information according to HIPAA, but also how to manage and safeguard the content of designated record sets to ensure any information that could identify an individual is protected and not impermissibly disclosed in violation of the HIPAA Privacy Rule.