PHI in HIPAA is health information that relates to an individual’s past, present, or future physical or mental health condition, treatment for the health condition, or payment for the treatment, that is created, received, stored, or transmitted by a HIPAA covered entity or business associate.
Any health information that qualifies as PHI in HIPAA, and any individually identifiable non-health information that could identify the subject of the PHI that is maintained in the same “designated record set”, is protected from impermissible uses and disclosures by the Privacy and Security Rules.
However, some sources answer the question what is PHI in HIPAA by referring to the 18 HIPAA identifiers listed in §164.514 of the Privacy Rule. These are not PHI if they are not maintained in the same designated record set as individually identifiable health information. This article explains why.
Designated Record Sets Explained
A designated record set is a set of one or more records maintained by a covered entity or business associate that is used to make decisions about an individual’s healthcare or health insurance status. An example of a designated record set is when a healthcare provider maintains a file containing some or all of an individual’s medical history.
A covered entity can have multiple designated record sets pertaining to the same individual. For example, it would not be necessary for a dental nurse, a pediatrician, or a dietician to have access to an individual’s full medical history, so each might maintain a separate designated record set about the individual. Each designated record set would have its own access controls.
Each designated record set will contain a combination of individually identifiable health information (i.e., x-rays, diagnoses, treatments, etc.) and individually identifiable non-health information (i.e., telephone number, partner’s contact details, social security number, etc.). All of the information in each designated record set is protected from impermissible uses and disclosures by HIPAA.
However, if individually identifiable non-health information is maintained in a separate database – for example, to facilitate transport arrangements – the non-health information loses its “protected status”. This is why the 18 HIPAA identifiers are not PHI in HIPAA at all times because there might be occasions when these identifiers are maintained in a separate database for other purposes.
Why it is Important to Know What is PHI in HIPAA
It is important to know what is PHI in HIPAA to make sure information that qualifies as PHI is only used or disclosed in compliance with HIPAA. It can be equally important to know what is not PHI in HIPAA to prevent information required for other purposes being inaccessible to those who need it because they do not have the appropriate permissions to access a designated record set.
In such circumstances, it is possible that one member of the workforce may share their login credentials with a colleague to help the colleague “get the job done”. While this is a violation of HIPAA with no malice intended, it is still a violation of HIPAA for which sanctions could be applied by HHS’ Office for Civil Rights in the event of a HIPAA investigation or audit.
Covered entities and business associates that need to use individually identifiable non-health information for operational purposes should maintain this information in a separate database – but should note that, although the information no longer qualifies as PHI in HIPAA and is not subject to the protections of the Privacy and Security Rules, other state or federal data privacy laws may apply.