Initials are considered PHI when they are maintained in a designated record set by a HIPAA covered entity with other information relating to an individual’s health condition, treatment for the condition, or payment for the treatment, and the initials could be used to identify the subject of the health, treatment, or payment information.
One of the objectives of the HIPAA Administrative Simplification Regulations is to protect health information from misuse so it is not used to commit fraud or medical identity theft. The HIPAA Privacy Rule defines Protected Health Information (PHI) as individually identifiable health information maintained or transmitted by a HIPAA covered entity that:
“Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) there is a reasonable basis to believe the information can be used to identify the individual.”
As an individual’s initials could be used to identify the individual, they are considered PHI when they are maintained in the same designated record set as individually identifiable health information – a designated record set being a group of records maintained by or for a HIPAA covered entity that is used to make treatment and payment decisions about the individual.
Why Are Initials Considered PHI?
The issue of whether initials are considered PHI originates from a misunderstanding of the requirements for the deidentification of PHI using the safe harbor method (see §164.514(b)(2)). This standard lists 18 identifiers that have to be removed from a designated record set before any health, treatment, or payment information remaining in the designated record set is considered de-identified and is no longer protected by HIPAA.
Some sources have misinterpreted the list to represent what is considered PHI under HIPAA, and because “initials” does not appear on the list, the logic is that initials are not considered PHI. However, this logic is incorrect inasmuch as 1) the list of identifiers does not determine what is considered PHI under HIPAA, and 2) the list was compiled more than twenty years ago, since when there are many more ways to identify an individual.
Effectively, any information that could be used to identify an individual is considered PHI when it is maintained with individually identifiable health information. Therefore, in addition to initials being considered PHI in most circumstances, social media aliases and photos of emotional support animals (neither of which are on the “list”) could also be considered PHI if they could be used to identify the subject of health, treatment, or payment information.
When Are Initials Not Considered PHI?
Initials are not considered PHI when they are maintained by an organization that does not qualify as a HIPAA covered entity or business associate, or when they are maintained in a database with information that does not qualify as individually identifiable health information because it does not relate to an individual’s health, treatment, or payment.
Many organizations that create, receive, store, or transmit individually identifiable health information do not qualify as HIPAA covered entities or business associates – including healthcare organizations that do not conduct electronic healthcare transactions for which the U.S. Department of Health and Human Services has adopted standards.
Even when an organization does qualify as a HIPAA covered entity, initials are not considered PHI if they are maintained in a database that is not used to make treatment and payment decisions about an individual – for example, a marketing database. However, in these circumstances, state privacy and security laws apply in the event of data breaches.