Book:HIPAA Compliance: An Introduction/Protected health information
Protected health information
At the center of all of HIPAA and HITECH is a single term and its definition: protected health information or PHI. This is the information that can be linked to a patient and has been identified by the U.S. government as being private to a patient. As such, PH is protected by both the Privacy Rule and Security Rule of HIPAA, as well as HITECH (for electronic PHI). These protections exist so that unauthorized sharing is prevented or at least minimized, and access is controlled, with significant sanctions and measures available to be applied in the even of breaches.
The HHS and the Privacy Rule define PHI in the following way:
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
“Individually identifiable health information” is information, including demographic data, that relates to:
- ▪ the individual’s past, present or future physical or mental health or condition,
- ▪ the provision of health care to the individual, or
- ▪ the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
According to the Privacy Rule, PHI does not include employment records that a covered entity maintains in its capacity as an employer, and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
HIPAA lists 18 identifiers that qualify as PHI, and as such they must be kept secure and private in the ways that are set down in HIPAA and HITECH. These identifiers are:
- all geographical subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- phone numbers
- fax numbers
- electronic mail (email) addresses
- Social Security numbers
- medical record numbers (MRNs)
- health plan beneficiary numbers
- account numbers
- certificate/license numbers
- vehicle identifiers and serial numbers, including license plate numbers
- device identifiers and serial numbers
- web addresses or Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- biometric identifiers, including finger and voice prints
- full face photographic images and any comparable images
- any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
There are also additional standards and criteria to protect individual's privacy from re-identification. Any code used to replace the identifiers in data sets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed. For example, a subject's initials cannot be used to code their data because the initials are derived from their name. Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers in the PHI used in the research study. In other words, the information would still be considered identifiable if there were a way to identify the individual even though all of the 18 identifiers were removed.
The government recognizes that there are instances where there is a need to use and/or transmit PHI. Since the key here is whether it can be used to identify the individual, HIPAA provides for two approved "de-identification" methods.
The first is the “Safe Harbor” approach, which permits a covered entity to consider data to be de-identified if it removes the 18 types of identifiers and has no actual knowledge that the remaining information could be used to identify an individual either alone or in combination with other information.
The second method is the "Statistical" approach, which allows disclosure of PHI in any form provided that a qualified statistical or scientific expert concludes, through the use of accepted analytic techniques, that the risk the information could be used alone or in combination with other reasonably available information to identify the subject is very small (statistically insignificant).
Privacy Rule: General principle for use and disclosure
In general, to help in deciding when to disclose or not, it is useful to keep the Privacy Rule's purpose in mind: to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities.
A covered entity may not use or disclose protected health information, except either:
- as the Privacy Rule permits or requires; or
- as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Similarly, there are only two cases where a covered entity is actually required to disclose PHI:
- when the individual to whom the PHI applies (or authorized representative) requests it in writing; or
- when the HHS is undertaking a compliance investigation, review or enforcement action and requests it.
- Office for Civil Rights (26 July 2013). "Summary of the HIPAA Privacy Rule". United States Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Retrieved 09 February 2022.
- "Code of Federal Regulations, Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, 164.514". U.S. Government Publishing Office. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.514. Retrieved 09 February 2022.
- Office of Civil Rights (28 March 2017). "Workshop on the HIPAA Privacy Rule's De-Identification Standard". U.S. Department of Health & Human Services. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/2010-de-identification-workshop/index.html. Retrieved 09 February 2022.
Citation for this section
Title: HIPAA Compliance: An Introduction - Protected health information
Author for citation: Alan Vaughan, with editorial modifications by Shawn Douglas
License for content: Creative Commons Attribution-ShareAlike 4.0 International
Publication date: Originally published June 2016; compiled and lightly edited February 2022