What is Considered Protected Health Information?

If an organization is subject to the Health Insurance Portability and Accountability Act (HIPAA), it is important to know what is considered Protected Health Information under HIPAA in order to prevent impermissible uses and disclosures and operational inefficiencies.

 HIPAA is a law passed in 1996 with the primary objective of improving the portability of health insurance between jobs and prohibiting health insurance companies from discriminating against employees with preexisting conditions. The measures incurred costs for the health insurance companies, which Congress feared would be passed on to employers and plan members via higher premiums and/or higher deductibles.

To address this issue, Congress took steps to reduce health insurance companies´ costs by tackling health insurance fraud and making the claims process more efficient. In order to make the claims process more efficient, Congress instructed the Secretary for Health and Human Services to develop standard transaction formats, introduce measures to safeguard the security of electronic transactions, and protect the privacy of individually identifiable health information.

The instruction led to the development of the Administrative Simplification provisions – a set of Rules that governs transactions between health insurance companies, healthcare providers, and health care clearinghouses. The General Administrative Requirements of the provisions define what Protected Health Information is, while the Privacy Rule within the Administrative Simplification provisions stipulates how Protected Health Information must be protected.

How Protected Health Information is Defined

The definition provided by the General Administrative Requirements states Protected Health Information is individually identifiable health information “transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”; so, to get a clearer picture of what is considered Protected Health Information, it is necessary to look at the definition of individually identifiable health information:

“Information […] collected from an individual […] that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care; and that identifies the individual or […] can be used to identify the individual.” Therefore, when this information is transmitted or maintained by a HIPAA Covered Entity it becomes Protected Health Information.

Protected Health Information can only be used or disclosed for required, permitted, or authorized purposes as stipulated by the Privacy Rule. It must also be maintained in a designated record set so it can be reviewed by the subject of the information (i.e., a patient of health plan member) for omissions and inaccuracies. Additionally, Covered Entities are required to maintain an accounting of disclosures that can be requested at any time by the subject of the information.

What is Not Considered Protected Health Information

In addition to the subject´s individually identifiable health information, any other information in the same designated record set that could be used – either separately or together with other information – to identify the subject of the health information is also protected. §164.514 of the Privacy Rule lists 18 identifiers (name, address, phone number, etc.) that are classified as Protected Health Information if they are maintained in the same designated record set as health information.

However, when these – or any other identifiers – are not maintained in a designated record set, they are not considered Protected Health Information under HIPAA. For example, if the name and telephone number of a patient´s next of kin is maintained in a separate database, it is not considered Protected Health Information under HIPAA even though it would be if included in the same designated record set as the patient´s health information.

This distinction is important because by over-protecting non-health related information, Covered Entities can experience operational inefficiencies. If, for example, a nursing assistant wanted to contact the next of kin but did not have the credentials to access the designated record set, the nursing assistant would have to contact a colleague with the necessary credentials to access the information – not only creating a delay, but also wasting resources.

However, not only is it important for Covered Entities to understand what is considered Protected Health Information and what is not, but also that this knowledge is passed onto members of the workforce via HIPAA training and patients/plan members via a Notice of Privacy Practices. When members of the workforce and patients/plan members understand what information is protected, it will reduce the number of unnecessary complaints while maintaining operational efficiency.