Explaining what is considered Protected Health Information under HIPAA can be complicated because, although individually identifiable health information is always protected when it is created, received, maintained, or transmitted by a Covered Entity or Business Associate, the information stored with health information can sometimes be considered Protected Health Information under HIPAA – and sometimes not.
The Administrative Simplification Regulation of HIPAA defines individually identifiable health information as “information […] collected from an individual […] that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or […] can be used to identify the individual.”
When individually identifiable health information is “transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium” (by a Covered Entity or Business Associate) it meets the definition of Protected Health Information. Information of this nature is usually maintained in a designated record set – which is “a group of records […] used in whole or part by Covered Entities to make decisions about individuals.”
More about Designated Records Sets and Protected Health Information
It is important to be aware that a designated record set can include any number of items – including a single item – and that individuals can have multiple designated record sets maintained by the same organization. For example, a picture of a newborn child on a pediatrician´s baby wall is individually identifiable health information in a single-item designated record set. However, the child will likely have a full medical record in another designated record set elsewhere in the medical facility.
Additionally, the child will likely feature in their mother´s medical history; and, if the birth of the child and subsequent care was covered by health insurance, the insurance company will also be maintaining Protected Health Information about the child in the policy owner´s designated record set – notwithstanding that if the eligibility, authorization, and claims processes were outsourced, a Business Associate will also have a designated record set containing Protected Health Information.
The reason why it is important to be aware about Protected Health Information and designated record sets is that individuals have the right to request a copy of Protected Health Information maintained in each designated record sets to review the information maintained about them and request corrections when errors or omissions exists. Individuals also have the right to request an accounting of disclosures so they can see who their health information has been disclosed to.
What is – and What is Not – Considered Protected Health Information under HIPAA
Explaining what is considered Protected Health Information under HIPAA can get complicated when the discussion turns to the “HIPAA identifiers”. The HIPAA identifiers are the eighteen items of identifying information that must be removed from a designated record set before any health information remaining in the designated record set is no longer protected by the Privacy Rule because it is no longer individually identifiable health information.
This has led a lot of people to believe the eighteen identifiers are considered Protected Health Information under HIPAA. However, this is only the case if an identifier is maintained in a designated record set along with an individual´s health information. If any identifiers are maintained outside a designated record set, they are not Protected Health Information and not protected by the Privacy Rule – although other federal and state privacy laws may apply or preempt HIPAA.
It is also the case that the list of eighteen HIPAA identifiers was compiled more than twenty years ago – since when there have been many changes to the ways in which people can be identified. For example, if an individual uses a social media alias that is not their name, this might not be removed from a designated record set even though it could be used to identify them. Similarly, details of an emotional support animal could also be used to identify an individual.
Conclusion: Treating All Identifying Information as if it is Protected is Not the Solution
Because of misunderstandings about what is considered Protected Health Information under HIPAA, some organizations opt to treat all identifying information as if it is protected. This is not a good solution because it can prevent the flow of organization and create inefficiencies. Therefore, if you are still unsure about what is considered Protected Health Information under HIPAA, it is recommended that you seek professional compliance advice.