Misunderstandings about what information is protected by HIPAA can result in operational inefficiencies or impermissible uses and disclosures of PHI.
Misunderstanding about what information is protected by HIPAA are often attributable to a lack of understanding about what Protected Health Information is. According to the definitions section of the Administrative Simplification Provisions (§160.103), Protected Health Information is individually identifiable health information maintained or transmitted by a Covered Entity in any form that:
- Relates to the past, present, or future physical or mental health or condition of an individual,
- Or the provision of health care to an individual,
- Or the past, present, or future payment for the provision of health care to an individual,
- AND that identifies the individual or can be used to identify the individual.
Individually identifiable health information that relates to an individual´s condition, treatment for the condition, or payment for the treatment is most commonly maintained in one or more “designated record sets”. These are sets of information used by a Covered Entity to make decisions relating to the provision of health care such as eligibility, diagnoses, treatments, and payments.
However, not only is any health information maintained in a designated record set protected, but also any other information that could be used to identify the individual to whom the health information pertains. This not only includes the “18 HIPAA identifiers” listed under §164.514 of the Privacy Rule, but any information that could be used separately or together with other information to identify an individual.
Therefore, if information about a patient´s emotional support animal is maintained in a designated record set, the information is protected by HIPAA. Similarly, if the patient uses a social media alias through which they could be identified, this information is protected by HIPAA as well – provided it is maintained in a designated record set used by a Covered Entity or Business Associate.
Misunderstandings about What Information is Protected by HIPAA
Misunderstandings about what information is protected by HIPAA can also be caused by some online sources giving the impression that the “18 HIPAA identifiers” are Protected Health Information in all circumstances. Inasmuch as any identifier is protected information when it is maintained in a designated record set, this is not the case when it is maintained separately from health information.
The Privacy Rule only has the objective of “protecting the privacy of Protected Health Information” and although identifiers such as fax numbers, vehicle registration numbers, IP addresses, etc. could be used to identify an individual, they are not health information, so do not assume the protections of health information if they are not maintained in the same record set as health information.
Because of potential misunderstandings, there is a case for protecting all information as if it were individually identifiable health information. However, this can lead to operational inefficiencies if every element of data is secured by Privacy and Security Rule standards – for example, if a healthcare assistant does not have the correct login credentials to access a patient´s phone number.
Conversely, if Covered Entities, Business Associates, and their workforces do not understand what information is protected by HIPAA, and fail to protect individually identifiable health information, this can lead to impermissible uses and disclosures of PHI or data breaches, which can lead to complaints being made to the Department of Health and Human Services´ Office for Civil Rights.
No organization welcomes the disruption of a review, investigation, or corrective action plan, so it is important for Covered Entities and Business Associates to understand what information is protected by HIPAA and to train members of the workforce on HIPAA-complaint procedures and security awareness to prevent avoidable, impermissible disclosures of Protected Health Information.
Protected Health Information: FAQ
What is “anonymization”?
“Anonymization” is the process by which identifiers are removed from PHI. A large part of HIPAA is protecting patient privacy, and records or data that contain individually identifiable (non-health) information is protected when it is included in a designated record set. By removing all identifiers, it means that the bare health information can no longer be used to trace the identity of the individual to whom it pertains, so the information no longer needs to be protected.
Is “[email protected]” PHI?
Yes – even email addresses that do not contain any identifying information are considered to be PHI when they are included in designated record sets that contain health information. The logic behind this is twofold: first, with relatively little effort, the owner of the email address can be sourced. Secondly, it would be impractical for HIPAA to distinguish between different degrees of anonymity, so it is easier to apply a blanket statement and protect all email addresses.
What is the difference between PHI and ePHI?
The term PHI refers to all formats of Protected Health Information, while ePHI is a subset of PHI that relates to individually identifiable health information created, received, stored, or transmitted electronically (which is where the “e” in “ePHI” comes from). All forms of PHI, irrespective of the format (physical, verbal, or electronic) or the media on which it is stored is protected under HIPAA.
Does HIPAA protect employment records?
No, HIPAA does not apply to employment records, even if the records contain health-related information or the employer is a Covered Entity or a Business Associate providing a service for or on behalf of a Covered Entity. Additionally, if an employer asks a healthcare provider directly for information about an employee, the provider cannot disclose the information without an authorization from the employee (unless other laws require them to do so).