The HIPAA rules all speak of “protected health information,” or PHI. What does that really cover? It is important to understand what it is so that you are sure you have the correct protections in place. Let’s explore the definition of PHI a bit here. The rule defines individually identifiable health information as:
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and…
1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and 1. That identifies the individual; or 2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
It then goes on to define “protected health information” in this way: Protected health information, or PHI, is individually identifiable health information:
1. Transmitted by electronic media; or
2. Maintained in electronic media; or
3. Transmitted or maintained in any other form or medium.
What that tells us is that it covers health information in ANY form. While the privacy rule applies to the information in any form, the security rule focuses on information that is created and stored electronically, including spoken conversations.
What about De-Identified Information?
The rules do allow for the use of information if it is de-identified. What is important to remember here is that the rule includes several things that must be removed before something is considered de-identified. Here’s the list:
(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this
Historically, we have faithfully removed all demographic information from the headers of a report, and we have used the words “the patient” when a physician dictates the name of the patient. If you really look at the above list, you will see that it’s much more detailed than that. When a pacemaker is implanted, for example, the physician gives the model number and serial number, right in the middle of the report. With (M) above, that report is not considered de-identified information.
The rule also states that the information must be such that a reasonable person with a statistical background would not be able to figure out the person’s identity. Lastly, it says that the covered entity must not have knowledge that the information could be used, alone or with other information, to identify the person.
It is critical to understand the meaning of PHI and how it applies to your setting. It is also important that all persons involved in the workforce be clear on the definitions. Be sure you have research these rules so you understand them and know how they apply to your work setting.