Many people will be familiar with the concept of Protected Health Information, and know that it must be safeguarded under the Health Insurance Portability and Accountability Act of 1996. But what are examples of Protected Health Information? How is it distinguished from other categories of information?
The Health Insurance Portability and Accountability Act of 1996 covered many areas. However, it is now most widely known for its rules governing the use, protection, and dissemination of private patient data. This data is usually highly sensitive in nature, and its acquisition by criminals could lead to identity theft, insurance fraud, or other negative consequences for the patient.
But not all types of information are protected under HIPAA. Specifically, HIPAA’s Privacy Rule defines “Protected Health Information” as data that relates to the past, present, or future medical condition of a patient, treatment plans for those conditions, and payment for healthcare. It must be generated, maintained, or received for a HIPAA-covered transaction (which relates to the administration, payment, or provision of healthcare), and can be in any format.
Importantly, this data is only considered to be PHI if it is generated or maintained by a HIPAA Covered Entity (CE) or one of their Business Associates (BAs). Broadly, CEs are health plans, healthcare clearinghouses, or healthcare providers, and BAs are third parties that have entered into a Business Associate Agreement with a CE. Both parties have a duty under HIPAA to ensure that PHI is safeguarded, and is not used for malicious purposes.
But what is this protected data? What are examples of protected health information? One of the key things that distinguishes PHI from other kinds of health data is that it must be individually identifiable. That is, it must contain one of the 18 HIPAA identifiers, pieces of data that can be used to trace the originator of the PHI. The identifiers are as follows:
- Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic images
- Any other characteristic that could uniquely identify the individual
There is no distinction between how “generic” these pieces of information are. That is to say, “Mr Campbell from Manhattan, New York” is equally as protected as “Mr Campbell from Geneva, New York”, even though there are many more people in Manhattan than in Geneva. This is both for practical reasons, and because in the age of modern technology, it would not actually be that difficult to identify a Mr Campbell from Geneva, New York. Therefore, all health information that contains these identifiers is protected.
However, it is possible to “de-identify” health information by removing all instances of these identifiers (or removing enough that it would be impossible, even for an expert, to identify the patient in question). The data has then been anonymized, and is no longer subject to HIPAA protections.
There are some categories of health data that are not protected. For example, medical records held by educational institutes are covered by FERPA, not HIPAA. Additionally, any health data collected by personal wearable devices are not covered by the Act as the data is not collected by a Covered Entity (though if the data were then handed over to a CE, it would become PHI).
So what are examples of Protected Health Information? Data ranging from diagnoses, prescriptions, medical images, receipts for the payment of treatment, referral letters, and details of health plans can all be considered PHI, so long as they contain HIPAA identifiers.