What is Protected Health Information?

Protected Health Information is an individual’s health, treatment, or payment for treatment information – and certain information maintained in the same data set that could identify the individual – when the information is maintained or transmitted by an organization covered by HIPAA.

What is protected health Information is a question many sources struggle to answer successfully due to complicated definitions in the HIPAA Administrative Simplification provisions. This article provides you with the full and correct definition of Protected Health Information.

You can also use our free Protected Health Information Guide to learn how to safeguard your organization’s PHI.

The HIPAA Administrative Simplification provisions (45 CFR Parts 160,162, and 164) are intentionally “flexible” because they have to relate to the activities of different types of health plans, health care clearinghouses, qualifying healthcare providers (collectively known as “covered entities”) and third party service providers to covered entities (collectively known as “business associates”).

Additionally, as Rules were added to the HIPAA Administrative Simplification provisions (i.e., the HIPAA Privacy, Security, and Breach Notification Rules), and these Rules subsequently amended by the HITECH Act and the HIPAA Omnibus Rule, definitions were added to different Parts and Subparts – making it even more difficult to find an accurate explanation of what is Protected Health Information.

Consequently, several sources have defined Protected Health Information as the identifiers that have to be removed from a designated record set before any health information remaining in the designated record set is no longer “individually identifiable” (see §164.514(b)(2)). This is such an incorrect definition of Protected Health Information it is difficult to know how to start dismantling it.

What is Protected Health Information?

To provide an accurate Protected Health Information definition, it is necessary to review the definitions of “health information” and “individually identifiable health information” as they appear in the General HIPAA Provisions (§160.103). Starting with “health information”, this is defined as any information, including genetic information, whether oral or recorded in any form or medium, that:

“Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”

At this point, it is important to note that HIPAA only applies to health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has adopted standards. Therefore, not all healthcare providers are subject to HIPAA – although state privacy regulations may still apply to patient information maintained by non-qualifying providers.

Continuing with our explanation of what is Protected Health Information, the definition of individually identifiable health information states “individually identifiable health information […] is a subset of health information, including demographic information collected from an individual [that] is created or received by a health care provider, health plan, employer, or health care clearinghouse […] and that identifies the individual or […] can be used to identify the individual.”

Finally, we arrive at the definition of Protected Health Information, defined in the General HIPAA Provisions as “individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”. While it seems answers the question what is Protected Health Information, it is not a complete answer.

Designated Records Sets and HIPAA Identifiers

The reason the definitions above do not fully answer the question what is Protected Health Information is that it still needs to be explained where the HIPAA identifiers fit into the definition and why sources have mistaken the identifiers as a definition of Protected Health Information. After all, since when has a license plate number had anything to do with an individual’s health?

The key to understanding what is included in Protected Health Information is designated record sets. A designated record set (as defined in §164.501) is any group of medical and/or billing records maintained by or for a covered entity, or any other information used in whole or part to make decisions about an individual. The definition includes a footnote that a designated record set can consist of a single item.

Therefore, any individually identifiable health information created or received by a covered entity or a business associate providing a service to or on behalf of a covered entity is a designated record set – or part thereof – by virtue of it being a medical record. This means that all medical information qualifies for the protections of the HIPAA Privacy and Security Rules. Additionally, any item of individually identifiable non-health information maintained in the same designated record set that identifies – or can be used to identify – the individual assumes the same protections if it relates to the patient’s health, treatment, or payment.

Therefore, if a designated record set contained a patient’s name, diagnosis, treatment, payment details and license plate number, the license plate number is Protected Health Information. However, if the license plate number is kept separate from the patient’s health information (for example, in a hospital parking database), it is not Protected Health Information.

The same applies to the other identifiers listed in §164.514. If any identifier is maintained in the same designated record set as Protected Health Information, it must be protected as if it were Protected Health Information. However, if any identifier is maintained separately from Protected Health Information, it is not subject to HIPAA – although state privacy regulations may apply.

What Else is Included in Protected Health Information?

A further issue with using the identifiers listed in §164.514 to explain what is Protected Health Information is that the list was created more than twenty five years ago – since when there have been multiple changes in the way individuals can be identified. For example, the list does not include social media handles, LGBTQ statuses, and Medicare Beneficiary Identifiers.

The (incorrect) definition of Protected Health Information also fails to include emotional support animals – which are an excellent example of when the same information can be both included in Protected Health Information and not included in Protected Health Information. Here is why:

• Patient A has an emotional support dog. Information about the dog is maintained in the patient’s designated record set because healthcare professionals may need to know the patient has an emotional support animal when making healthcare decisions. In this scenario, the information about the emotional support dog is protected by the HIPAA Privacy Rule.
• Information about the dog is also maintained on a separate database with the patient’s name and address because this information is needed to transport the patient to and from appointments. As there is no health or payment information maintained in the database, the information relating to the emotional support dog in the separate database is not protected by the HIPAA Privacy Rule.

It is important to know what is Protected Health Information – and what isn’t – because you may be protecting too little information, or too much. If you protect too little information, the risk exists of HIPAA violations and data breaches; while, if you protect too much, you could be obstructing the flow of information in a healthcare environment. Because of the volume of misinformation relating to Protected Health Information, it is important that all members of the workforce receive HIPAA training on what is Protected Health Information in order to support HIPAA compliance. If you require any further information about what is Protected Health Information, you should seek professional compliance advice.

FAQs

Would patient information such as “Mrs. Green from Miami” be considered PHI?

Patient information such as Mrs. Green from Miami would be considered PHI if it is maintained in the same designated record as the patient’s health information.

What are allowable uses and disclosures of PHI?

Allowable uses and disclosures of PHI are uses and disclosures of information for purposes allowed by the HIPAA Privacy Rule that do not require a patient’s consent or authorization. These include – but are not limited to – uses for treatment, payment, and healthcare operations, and disclosures to public health agencies for some communicable diseases.

What are incidental uses and disclosures of PHI?

Incidental uses and disclosures of PHI are those that occur accidentally as a by-product of another allowable use or disclosure. Provided the covered entity or business associate has applied reasonable safeguards and implemented the minimum necessary standard with respect to the primary use or disclosure, there is no violation of HIPAA.

Can you provide an example of an incidental disclosure?

An example of an incidental disclosure is when an employee of a business associate walks into a covered entity’s facility and recognizes a patient in the waiting room. Although the business associate does not need to know the identity of any patients at the covered entity’s facility, the business associate has a compliant business associate agreement in place and is visiting the facility to carry out work described in the agreement. Therefore, the disclosure of PHI is incidental to the compliant work being done.

Would a personal wearable device such as a step counter be considered a PHI health app?

A personal wearable device such as a step counter can be considered a PHI health app if it collects, uses, and/or stores data, and that data is transmitted to – or downloaded at – a physician’s office or healthcare facility. In such cases, the data is protected by the Federal Trade Commission Act while it is on the device (because the data is in the possession of the device vendor) and protected by the HIPAA Privacy Rule when it is in the possession of a covered physician or healthcare facility.

What is PHI information?

PHI information is an acronym of Protected Health Information. As discussed in the article, PHI information is any individually identifiable health information used for treatment or payment purposes, plus qualifying individually identifiable non-health information maintained in the same designated record set as Protected Health Information.

What is PHI in healthcare?

PHI in healthcare stands for Protected Health Information – any information relating to a patient’s condition, treatment for the condition, or payment for the treatment when the information is created or maintained by a healthcare provider that fulfills the criteria to be a HIPAA covered entity.

Is a picture of a baby on a baby wall an example of PHI?

Not only is a picture of a baby on a baby wall an example of PHI, but it is an example of PHI that needs an authorization before the picture can be displayed because it implies the provision of past treatment to an identifiable individual. Naturally, in these circumstances, the authorization will have to be provided by the baby’s parents or their personal representative.

What is patient health information?

Patient health information can have several meanings. It can be used as an alternative term for Protected Health Information but is more likely to refer to a patient’s medical records rather than their medical and payment records. Nonetheless, patient health information maintained by a HIPAA covered entity or business associate must be protected by HIPAA Privacy Rule safeguards.

What qualifies as Protected Health Information?

What qualifies as Protected Health Information depends on who is creating or maintaining the information and how it is stored. All individually identifiable health information qualifies as Protected Health Information when it is created or maintained by a HIPAA covered entity or business associate.

Additionally, any non-health information that is maintained in the same designated record set as individually identifiable health information qualifies as Protected Health Information if it identifies – or could be used to identify – the subject of the individually identifiable health information.