The Difference between Health Records and HIPAA Protected Health Information
The difference between health records and HIPAA Protected Health Information (PHI) is that, while many types of organizations can maintain health records about individuals, only organizations covered by HIPAA are required to protect health information to the standards required by the HIPAA Privacy and Security Rules.
Not all health records are protected by HIPAA. For example, if you provide health information to an employer, a bank, or an auto insurance company, the health records maintained by these organizations are not protected by HIPAA. This is because these organizations do not qualify as HIPAA covered entities or business associates of HIPAA covered entities.
This does not mean health records are not protected at all when they are maintained by “non-covered” organizations. Most states have enacted privacy laws that protect health records when they are not protected by HIPAA. In addition, most industries have standards that govern how sensitive personal information must be protected against unauthorized access.
Why it May Be Important to Understand the Difference between Health Records and HIPAA PHI
As a consumer, the reason it may be important to understand the difference between health records and HIPAA PHI is that you have more control over your health information if it is protected by HIPAA. The HIPAA Privacy Rule gives individuals the right to control how their PHI is used, who their PHI is disclosed to, and when their PHI should be withheld.
In addition, when health information is protected by HIPAA, individuals have the right to obtain copies of their PHI, have corrections made when errors or omissions exist, and request an accounting of disclosures to monitor who their PHI has been shared with. If any of these rights are denied, individuals can file a compliant with HHS’ Office for Civil Rights.
As a “non-covered” organization, the reason it may be important to understand the difference between health records and HIPAA PHI is that many consumers do not understand the difference between health records and HIPAA PHI. In such cases, consumers may expect your organization to accommodate their HIPAA rights, even though it does not have to.
The way to overcome this issue is to have a Privacy Policy that clearly indicates which laws and/or regulations your organization is subject to. It can also be a good idea in these circumstances to highlight that the organization is not required to comply with HIPAA and what rights – if any – individuals have over how their health records are used.
Who Qualifies as HIPAA Covered Entities?
Health information is protected by HIPAA when it is created, received, stored, or transmitted by an organization that qualifies as a HIPAA covered entity. Organizations that qualify as HIPAA covered entities include health plans, health care clearinghouses, and healthcare providers that conduct electronic transaction for which standards exist in Part 162 of HIPAA.
Part 162 of HIPAA governs electronic transactions such as eligibility checks, treatment authorizations, and payment claims between healthcare providers and health plans (via clearinghouses when necessary). If a healthcare provider does not conduct these types of claims, or does not conduct them electronically, they do not qualify as a covered entity.
Third party organizations that provide a service for or on behalf of a HIPAA covered entity are also required to protect health information when health information is used or disclosed during the provision of a service. For example, if a covered entity creates, receives, stores, or transmits PHI via an Office 365 service, Microsoft is a business associate of the covered entity.
This can lead to scenarios in which a healthcare provider who does not qualify as a covered entity (e.g. because they bill patients directly) works as a business associate for a covered entity when patients are referred to them (i.e. for counselling). In such cases, the healthcare provider can either fully comply with HIPAA or operate as a hybrid entity.
What Health Information is Protected by HIPAA?
Health information protected by HIPAA is individually identifiable health information that relates to an individual’s health condition, treatment for the condition, or payment for the treatment. Information of this nature is maintained in a “designated record set” and an individual can have multiple record sets per covered entity or business associate.
In addition, any individually identifying non-health information maintained in the same record set as PHI assumes the same protections. For example, if a designated record set includes a patient’s test results and their email address to send the results to, the email address qualifies as PHI even though – on its own – it is not related to a health condition, treatment, or payment.
However, when non-health information is not maintained in a designated record set with PHI it is not protected by HIPAA. If a covered healthcare provider maintains a separate database of names, telephone numbers, email addresses, etc., HIPAA protections do not apply to the separate database – although other state and industry regulations may.
In this case, the distinction between non-health records and HIPAA PHI is important because HIPAA rights only extend to information maintained in designated record sets. Individuals have no rights to know what non-health records are maintained by a HIPAA covered entity or business associate unless the non-health records are hacked in a security incident.
Exceptions to HIPAA Protections
There are many examples when exceptions to HIPAA protections exist. These include when a disclosure of PHI is required to comply with a law or public health regulation – even if an individual does not consent to the disclosure – or when a disclosure of PHI is required by an administrative subpoena (subject to certain conditions being met).
HIPAA covered entities can disclose PHI to a financial institution for payment processing purposes without a Business Associate Agreement being in place. PHI can also be disclosed to “affiliates” – unless an individual specifically declines to allow this practice during events such as an appointment check-in – and then used for targeted marketing.
HIPAA authorizations can also result in exceptions to HIPAA protections when an individual authorizes a disclosure of PHI which the covered entity will have no control over once PHI has been disclosed. In such cases, it is possible that health information about an individual could be widely shared and potentially misused without the disclosure constituting a HIPAA violation.
Due to the number of exceptions to HIPAA protections, it is not only important to understand the different between health records and HIPAA PHI, but also what health information is protected by HIPAA and when the protections do not apply. Individuals and organizations unsure about the distinction between health records and HIPAA Protected Health Information are advised to seek legal advice.
