There can sometimes be confusion about what information is protected by HIPAA due to some sources mistakenly implying that the 18 HIPAA identifiers in the de-identification process are protected by HIPAA at all times.
What information is protected by HIPAA is explained in Parts 160 and 164 of the Administrative Simplification Regulations. These sections state that individually identifiable health information is protected by HIPAA when it is maintained or transmitted by a Covered Entity and the information relates to:
- The past, present, or future health or condition of an individual,
- Or the provision of health care to an individual,
- Or the past, present, or future payment for the provision of health care,
- AND can be used to identify the individual.
Individually identifiable health information – and any information that could be used to identify an individual – is maintained in an individual´s designated record set. The record set is used by healthcare providers and health plans to make decisions such as eligibility for health care, diagnosis of a condition, treatment of the condition, and payment for the treatment.
It is important to be aware that healthcare providers and health plans can maintain more than one designated record set per individual (i.e., different units in a hospital may maintain their own information about a patient), and further designated record sets may be created by Business Associates providing a service to or on behalf of a healthcare provider or health plan.
Why Understanding Designated Record Sets is Important
Understanding designated record sets is important because – provided individually identifiable health information meets the criteria listed above – the information is automatically protected by HIPAA. However, with regards to the “18 HIPAA identifiers” listed in §164.514 of the Privacy Rule, these are only protected by HIPAA when they exist in a designated record set.
To understand this point better, a name, address, or phone number is – by itself – not protected by HIPAA because it does not directly relate to an individual´s condition, treatment, or payment for the treatment. Therefore, a database containing only names, addresses, and telephone numbers does not meet the criteria to be Protected Health Information and is not protected by HIPAA.
It is necessary to be aware of this distinction because if (for example) a nursing assistant urgently needed to contact the partner of a patient, and the telephone number is protected by access controls for which the nursing assistant does not have the appropriate credentials, it is likely a delay will occur while somebody with the right credentials can be found to access the telephone number.
It is also necessary to be aware that, just because the telephone number in the above example is not protected by HIPAA, it does not mean that identifying information maintained outside a designated record set is not protected at all. Other federal and state laws may apply or preempt HIPAA due to their stronger protections. Therefore, it is important to know not only what information is protected by HIPAA, but also what information is protected by other federal and state laws.