PHI – or Protected Health Information – is a term frequently used in articles discussing HIPAA compliance, yet the meaning of the term is sometimes misunderstood. However, it is important for Covered Entities, Business Associates, and their workforces to know what is considered PHI under HIPAA – and what isn´t – because one of the primary objectives of HIPAA is to “protect the privacy of Protected Health Information” (HHS – HIPAA for Professionals – The HIPAA Privacy Rule).
If it is not fully understood what PHI is, it may not be possible to fully comply with the standards for permissible uses and disclosures of PHI, adequately respond to access requests from patients and health plan members, or accurately notify HHS´ Office of Civil Rights (OCR) of breaches of unsecured PHI. Alternatively, organizations may protect more information than is necessary and hinder the flow of health information – something HIPAA set out to avoid.
Therefore, before developing HIPAA-compliant policies, implementing measures to safeguard PHI, or developing HIPAA training courses, it is a good idea to know what PHI is so the policies, safeguards, and training courses do not leave gaps in compliance or hinder the flow of health information. And, it is not just Covered Entities, Business Associates, and their workforces who need to understand the meaning of PHI. Members of the public also need to know what is considered PHI.
Why do Members of the Public Need to Know What is PHI?
Members of the public need to know what is considered PHI because two-thirds of complaints to OCR are rejected after review. Not all rejections are attributable to misunderstandings of PHI, but misunderstandings are a major contributory factor. So, if two-thirds of complaints are rejected by OCR for being unjustified, two-thirds of complaints received by Covered Entities may also be unjustified. Yet all complaints take time to acknowledge, review, reply to, and document.
If Covered Entities could eliminate unjustified complaints attributable to misunderstandings of PHI, it would save Privacy Officers a substantial amount of time and enable them to redirect resources to building a more compliant workforce. So, how do you explain to members of the public what PHI is? There are several options. You can better educate your workforce, add a page to your website, or include more information in your Notice of Privacy Practices. Or all three!
Realistically, better educating your workforce is the best option. By providing workforce members with a thorough understanding of PHI, it will not only enable them to perform their functions compliantly – thus, reducing the number of complaints – but will also enable them to pass their knowledge onto patients and plan members who ask questions about the privacy and security of their health information – further reducing the number of complaints.
So, What Is Considered PHI under HIPAA?
To fully understand the meaning of PHI, you have to work backward through the definitions section of the Administrative Simplification Regulation (§160.103). This is because PHI is defined as “individually identifiable health information […] transmitted by or maintained in electronic media or any other form or medium.” But what constitutes individually identifiable health information? In §160.103, this is defined as “a subset of health information […] collected from an individual […] that:
- Relates to the past, present, or future physical or mental health or condition of an individual,
- Or the provision of health care to an individual,
- Or the past, present, or future payment for the provision of health care to an individual,
- AND that identifies the individual or can be used to identify the individual.
The backward journey through the definitions section doesn´t stop there because there is also a definition of “health information.” This definition is similar to that of individually identifiable health information inasmuch as the term “health information” relates to the past, present, or future condition of a (non-identified) patient, treatment for the condition, or payment for the treatment. However, health information can be “oral or recorded in any form or medium.” Therefore:
- The diagnosis of “a broken ankle” is health information.
- “Mrs. Jones has a broken ankle” is individually identifiable health information.
- If the words “Mrs. Jones has a broken ankle” are spoken, written down, or (for example) typed into an EHR, the diagnosis becomes Protected Health Information.
Why Designated Record Sets Matter
A designated record set is defined in the Privacy Rule as a group of medical and/or billing records maintained by or for a Covered Entity that is used in whole or in part to make decisions about individuals. Because a designated record set contains PHI, any other piece of information maintained in the same designated record set assumes the same degree of protection as the health, treatment, and payment information maintained in the designated record set.
Therefore, in the case of Mrs. Jones having a broken ankle, if her address and telephone number and the name of her husband are maintained in the same designated record set, these pieces of information assume the same degree of protection as the diagnoses of the broken ankle even though – taken out of context – these pieces of information are not relevant to Mrs. Jones´ physical condition, treatment for the condition, or payment for the treatment.
It is important to be aware that one individual can have multiple designated record sets, and that a designated record set can consist of a single item. For example, a picture of a newborn child on a pediatrician’s baby wall is a designated record set containing a single item of PHI. The reason this is important to know is that individuals have the right to request an accounting of disclosures for each designated record set. So, it is not only necessary to know what PHI is, but where it is.
PHI and HIPAA Identifiers
Some sources discussing HIPAA compliance confuse PHI with the 18 HIPAA identifiers – the eighteen pieces of information that have to be removed from a designated record set under the “safe harbor” method of de-identification before any health information remaining in the designated record set no longer qualifies as PHI because it does not contain individually identifiable health information. However, outside of a designated record set, these identifiers are not PHI.
Returning to Mrs. Jones, if her address and telephone number and the name of her husband are maintained in a database separate from her diagnosis, this group of records is not PHI because it does not contain individually identifiable health information. If, however, a note is added to the group of records reading “only call Mr. Jones about eyesight appoints – don´t text him”, the group of records becomes PHI because it contains health information about Mr. Jones´ eyesight.
This is not to say that individually identifiable (non-health) information does not need protecting when it is not maintained in a designated record set. Many states have enacted – or are in the process of enacting – comprehensive privacy laws that govern the privacy and security of individually identifiable information. Additionally, many state healthcare information privacy laws have more stringent definitions of PHI than HIPAA that preempt HIPAA and include non-health information.
There are More than 18 HIPAA Identifiers
Covered Entities, Business Associates, and members of their workforces should not rely on the 18 HIPAA identifiers to determine what is PHI because times have changed since the safe harbor method of de-identifying designated record sets was published in the Privacy Rule. There are now many more ways in which an individual could be identified by information in a designated record set beyond the 18 HIPAA identifiers. For example:
- If Mrs. Jones has an emotional support animal, and information about the animal could identify Mrs. Jones, this is a HIPAA identifier that qualifies as PHI.
- If Mrs. Jones uses social media and has a social media alias that is not a name (i.e., “hakuna-matata”), the alias also qualifies as PHI as it could be used to identify her.
- If Mrs. Jones broke her ankle in a workplace accident, and a deidentified report of the accident is maintained in the designated record set (i.e., “an employee broke their ankle and was taken to hospital”), the report is also PHI because it could be used with other information to identify Mrs. Jones.
It is reasonable to query why information about an emotional support animal, a social media alias, or a deidentified report might be maintained in a designated record set, but when you look at the list of identifiers currently under §164.514(b), these too raise a few eyebrows – i.e., vehicle registration number, IP address, website URL, etc. Therefore, it is safer to protect PHI by assuming any information maintained in a designated record set could be a HIPAA identifier.
- Understand what is considered PHI under HIPAA, where it is maintained in your organization, and how best it should be protected.
- Develop policies and procedures that protect the privacy of PHI without hindering the flow of information for treatment, payment, and health care operations.
- Ensure all members of the workforce receive training on PHI so they can better perform their functions in compliance with HIPAA.
- Encourage members of the workforce to better educate members of the public in order to reduce unjustified complaints.
- Ensure your organization´s business partners have the same understanding of PHI and apply the same best practices to protect it.
- Manage designated record sets to reduce the administrative workload of responding to requests for access and requests for an accounting of disclosures.
- Ensure the workforce is aware of which disclosures of PHI require an authorization (i.e., a picture of a newborn child on a pediatrician´s baby wall).
- Be aware there are more than 18 HIPAA identifiers. With a thorough understanding of what PHI is, you will be able to determine what constitutes a HIPAA identifier – and what doesn´t.
- By understanding what PHI is and applying your knowledge, your organization will operate more efficiently and more compliantly – further reducing complaints.
- Be aware that state healthcare information privacy laws may have more stringent standards for the privacy and security of non-health information that preempt HIPAA.
If you encounter issues understanding what PHI is, applying your knowledge, or conveying your knowledge to members of the workforce, you are advised to seek professional compliance advice.