We all know what “protected health information” (PHI) is, right? You know that HIPAA requires you to keep this information private and secure. However, it’s easy to assume we know what PHI means…but be gravely mistaken.
Some of us tend to think everything is PHI. Others think that only information related to a diagnosis is PHI. But you can’t rely on guesswork and you can’t afford to be mistaken. HIPAA doesn’t extend leniency for simply “not knowing” what counts as PHI, and there are serious consequences for violating HIPAA.
So, let’s challenge our assumptions about PHI and go back to the basics. This blog will review the ABCs of HIPAA protected health information.
Read to the end to access a downloadable PHI decision tree.
What is Individually Identifiable Health Information?
Individually identifiable health information (IIHI) goes beyond medical information about a person to include their demographics. IIHI meets these conditions:
- Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse.
- Relates to the past, present, or future physical/mental health or condition of a person; the provision of health care to a person; or the past, present or future payment for the provision of health care to a person.
- Identifies an individual or can be used to identify an individual.
In short, for medical information to be IIHI, it has to identify the individual to which it belongs.
What is Protected Health Information Under HIPAA?
According to the HIPAA Privacy Rule, protected health information is individually identifiable health information that is:
- Transmitted by electronic media (e.g. sent through email),
- Maintained in electronic media (e.g. stored on a server), or
- Transmitted or maintained in any other form or medium (which includes paper documents stored in physical locations).
All PHI is IIHI, but not all IIHI is PHI. This is because HIPAA does not protect all individually identifiable health information. The IIHI has to be transmitted or maintained in some form to be protected (PHI).
But what makes information identifiable?
HIPAA Protected Health Information Identifiers
There are 18 identifiers that make medical information identifiable:
- Names (full name or last name and initial)
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and
- The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death. This includes all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security Numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers, such as serial numbers and license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal, and voice prints
- Full face photos and any comparable images
- Any other unique identifying number, characteristic, or code
When these identifiers can be used in combination with other health information to identify an individual, HIPAA considers it PHI. Consequently, if these identifiers are not present, the information is not identifiable. If you remove all identifiers, you have de-identified the information, and it is no longer PHI.
READ MORE: When Can I Disclose PHI?
Examples of PHI and Non-PHI
In each of the following scenarios, both medical information and at least one identifying piece of information are present, making the medical information PHI:
- You work at the dentist’s office. You open an email attachment that lists the patients scheduled for next week. You see their first and last names, phone numbers, appointment dates, and expected procedures. This email attachment is PHI because it contains three identifiers (names, appointment dates, phone numbers) and medical information (expected procedures).
- As a patient, you walk into a clinic and see reports lying on the reception desk. You can see patients’ lab test results with their names and dates of birth. These reports are PHI because there is identifying information (names and DOBs) alongside the medical information (lab results). The clinic has also violated HIPAA by leaving PHI is plain view!
The following is not IIHI or PHI because no identifiers are attached to medical information or vice versa, making it impossible to identify the person:
- You walk out of a hospital and find a piece of paper on the ground with a person’s name and admission date on it. These are two identifiers. However, the paper isn’t PHI because it doesn’t list the name of a hospital and may not represent a person’s medical treatment. The paper could’ve come from anyone, and the “admission date” could refer to many things besides hospital admission.
- In the radiology department, you come across an X-ray of a hand. However, no information is attached to the image, making it impossible to know to whom it belongs. Therefore, the X-ray is not PHI; it is simply medical information.
We created a decision tree to help guide you through the process of determining whether a piece of information is protected by HIPAA. Download the decision tree below.
The HIPAAtrek platform helps practices and small hospitals create a fully customizable HIPAA management program. Learn how HIPAAtrek can help you navigate the complex world of HIPAA compliance. Contact us today.