The Health Insurance Portability and Accountability Act (HIPAA) obligates covered bodies to maintain safeguard that ensure the confidentiality, integrity, and availability of protected health information, but what is referred to as protected health information?
It is valuable to look into two other important terms detailed in HIPAA rules: A covered body and a business associate. A covered body is a healthcare supplier, health plan, or healthcare clearinghouse which broadcasts health data digitally for transactions that the U.S. Department of Health and Human Services (HHS) has adopted standards. A business associate is a group or person who carries out services for a HIPAA-covered body that requires access to, or the use of, protected health information.
What is Referred to as Protected Health Information?
Protected health information is the title given to health data developed, received, stored, or transmitted by HIPAA-covered bodies and their business associates in relation to the supply of healthcare, healthcare operations and payment for healthcare services. Protected health information is often abbreviated as PHI, or in the case of electronic health information, ePHI.
Definition of HIPAA Protected Health Information
Protected health information is something that “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” which is:
- Sent by electronic media;
- Managed in electronic media; or
- Broadcast or managed in any other form or medium.
Protected Health Information Incorporates…
Protected health information incorporates all individually identifiable health information, including demographic data, medical records, test results, insurance details, and other data used to identify a patient or provide healthcare services or healthcare coverage. ‘Protected’ means the data is protected under the HIPAA Privacy Rule.
Protected health information is defined in the Code of Federal Regulations and refers to health records, but not educational records which provision is made for by other federal regulations, and neither records held by a HIPAA-covered body related to its role as an employer. In the case of an employee-patient, protected health information does not incorporate information held on the employee by a covered body in its role as an employer, only in its role as a healthcare supplier.
PHI does not incorporate individually identifiable health information of persons who have been dead for over 50 years.
What is Referred to as Individually Identifiable Health Information?
When individually identifiable information is utilized by a HIPAA covered body or business associate in relation to healthcare services or payment it is classified as protected health information.
There are 18 individual identifiers that can be used to identify, contact, or find a person. If health information is implemented along with any of these identifiers it is thought of as identifiable. If PHI has all of these identifiers taken away, it is no longer thought of as protected health information. (see de-identification of protected health information)
- Full Names (Full or last name and initial)
- All geographical identifiers with a hierarchy lower than a state, apart from for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit made up by combining all zip codes with the same three initial digits contains more than 20,000 people; and the first three digits of a zip code for all such geographic units including 20,000 or fewer people is amended to 000
- Dates (other than year) directly linked to an individual
- Full Phone Numbers
- Fax contact numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Page Addresses/Uniform Resource Locators (URLs)
- Internet Protocol (IP) addresses
- Biometric identifiers, incorporating finger, retinal and voice prints
- Full face photographic images and any relatable imagery
- Aall other unique identifying number, characteristic, or code except the unique code given by the investigator to code the data
PHI Health Applications
There is some misunderstanding in relation to PHI and health apps as they often gather information that is classified as PHI when it is recorded or used by a healthcare supplier. Health applications gather information such as heart rate data and the data include personal identifiers. However, the data gathered by these applications and trackers is not always covered by HIPAA Rules. Application developers can be business associates, but normally they are not.
If a HIPAA covered body develops a health application for use by patients or plan members and it gathers, uses, stores, or sends protected health information, the information must be safeguarded in line with HIPAA Rules.
If a physician advises that a PHI health app be used by a patient, such as for recording BMI or heart rate data, the information is not subject to HIPAA Rules as the application was not created for the physician.
A third-party health app developer would be classified as a business associate, and required to adhere with HIPAA, if the application has been created for a HIPAA-covered entity and it gathers, uses, stores, or sends identifiable health information or if the developer is working with HIPAA-covered body to provide health monitoring services via the application.
PHI health app guidance was published by OCR in 2016 and can be viewed on this link (PDF).
PHI and Digital Technology
The HIPAA Security Rule requires security measures to be put in place by HIPAA-covered bodies and their business associates to safeguard PHI that is created, used, received, stored, or sent using in electronic format. Administrative, physical, and technical security measures must be set up to ensure the confidentiality, integrity, and availability of ePHI.
Not protecting ePHI and subsequent privacy violations can result in major fines, although as there is no private cause of action in HIPAA, patients impacted by data breaches cannot take legal action against HIPAA covered bodies for the exposure, theft, or impermissible disclosure of their PHI.
The HIPAA Privacy Rules states that allowable uses and disclosures of PHI and gives patients the right to receive a copy of the PHI that is held by their healthcare suppliers. HealthIT can be used to help patients view their PHI. Many healthcare suppliers now permit patients to access some or all of their health information using patient portals. If only partial data is available through a patient portal, patients can still use their right to obtain all PHI in a designated record set held by their healthcare providers by filing an official request in writing.