33 comments on “HIPAA ‘Protected Health Information': What Does PHI Include?”

  1. Can nurse contact me and then go and tell her daughter that she talked to me because her daughter is in love with my son and I moved my family to another state and she wanted to no if she bring my records to me.

    1. Did the daughter know beforehand where you moved to? As long as no protected health information was given to the daughter that she didn’t already know from your son such as your name, address, etc. Then, it’s OK I would think. But I’m no expert so don’t quote me. I do have an issue however with using her daughter to deliver your records. She could easily open them and read them. They should essentially be mailed to you with a signature request of receipt.

  2. How can my parents get my brothers medical records from his primary care doctor here in Oklahoma? Do we need to have a certain form to get medical records of my deceased brother? We are needing records for a wrongful death suit against his wife and need brothers medical records? Do you have a standard form so we can get court to let us get records?

    1. We don’t have a form we can share for this. Your lawyer should be able to provide some guidance on how to go about obtaining the records. Sorry for your loss.

  3. Is the fact that a patient has died protected health information? Can a clinician notify other staff of the patient’s death by name via text message?

    1. Tom, yes this is protected health information. Additionally, deceased individuals PHI is protected for 50 years after their death.

      There are a few exceptions, however. Notification to law enforcement, coroners, organ procurement organizations are exempt. HHS provides some specific guidance on these exemptions here.

    2. Tom – as far as I’m aware, transmitting PHI via text is always a violation of HIPAA, even if it is being sent to people who are in the individuals health care team, it is not encrypted and therefore not secure.

      1. I am dealing with similar situations. I’m a 38 year old woman collecting benefits, I do live on my own. I am my own advocate, the major issues are with my mother.
        She is desperately trying to convince my healthcare providers I, well honestly I truly DO NOT KNOW what her intentions are!
        I would appreciate any advice on how to STOP HER from using my medical issues against me. She has transmitted private information about my health to a provider. Is she legally allowed to do so? If she is using my medical history to make me seem incompetent , would that be considered decimation of character?

        1. Need info because i am put in a position that i don’t think i should be in, or, anyone has a right to put me . Thank you for your answer and help)

  4. I am an HMO member. I requested a referral to a specialist from my PCP who works for a University Hospital. Two weeks later, a Referral Coordinator called and said she spoke to the HMO by phone about the referral, and the HMO denied it. I never received a written denial from the HMO who deny receiving any request for referral.
    Can I view and/or request a copy of the transcript of the phone conversation between the Referral Coordinator and HMO on the basis that it constitutes PHI?

  5. Can my dental office call my work and leave a message on a public answering machine saying that I have a balance that needs to be paid?

  6. If a patient is transferred to another facility, is it a HIPAA violation to disclose where the patient was transferred to to “family members” over the phone?

  7. When using email, from doctor to patient, if the content of the mail is protected, but the email name is still in plain text, is that still considered PHI, and would that need to be obscured. Identification is necessary, is this a risk management decision that is just accepted. Can the use of names as long as other information is protected be used in correspondence.

  8. If a patient of mine is related to my spouse and he sees her name did I violate hipaa? Im a home health nurse & prepare my daily list. He happened to see her name & warned me not to go. Theyve since accused me of violating hipaa.

  9. I am a student at a private university in NY. I recently embarked on an international internship and purchased travel health insurance that was provided by my university. I have since then returned from the internship and I am no longer insured under the travel health insurance policy. Upon my return, I had a question regarding my travel health insurance policy and therefore reached out to the person that coordinated my travel health insurance prior to my departure. She replied to my email and included the Chair of my program. In response to receiving the email, the Chair of my program email me with concern about my health. I am uncomfortable that the Chair of my program has knowledge that I inquired and may or may not have sought behavioral health treatment during my internship.

    I believe by including the Chair of my program in the email my confidentially was breached. I would really like to get your professional opinion on this matter. Is the information in my email considered PHI? Did she breach confidentiality? Is this a HIPAA violation? If so, why? If not, why not?

    Please see the email correspondence below. My emails begin with “Good Afternoon” and the insurance coordinator’s email begins with “Dear Student”.

    Good Afternoon
    Administrative Assistant to the Department of Public Health recommended that I reach out to you in regards to a few questions I had regarding the foreign travel insurance that I purchased for my international internship in Belgrade, Serbia. Your help in this matter is greatly appreciated. I want to know, does this policy cover behavioral health? If so, what is the name of the travel insurance? And what is my policy number?

    In response to my email she attached my policy letter and cc’d the Chair of my program and replied to me with the message below

    Dear Student –
    You should have received a letter indicating your coverage for the plan that was purchased for the trip scheduled for May 28th, 2015 thru July 22nd, 2015 prior to your trip – see attached.

    The policy does cover behavioral health (as long as it is considered an emergency visit and not a routine visit.) Only emergency accidents and sicknesses are covered under the study abroad policy.


    In response to this email the Chair of my program reached out to me with concern for my health. I replied to the insurance coordinator with the message below

    Good Afternoon,
    Thank you for this email. I appreciate you getting back to me in a timely matter.
    I want to address that I was not comfortable with you sharing my email and your response to my email with the Chair of my program. I considered the information in the email sensitive and thereby expected it to be treated with confidentially.
    May I ask why was she cc’d on the email?

    She replied to my email with the message below

    Dear Student –
    As the Director of this program – the advisor should have supplied you with the ‘letter’ from the carrier prior to your trip – that is WHY (she) was copied. There was no indication in your e-mail that this was a confidential matter but simply a QUESTION you were asking – and nothing in my response said otherwise.

    Am I justified to believe that by including a third party to the email, the privacy of my health information was violated? Does this go against HIPAA laws?

    Thank you for all your help. I look forward to your response.

  10. I signed an authorization to release treatment received at the ER of another health care facility to be sent to my current health care provider. It was received but when requested, the current provider won’t provide me a copy. They tell me under HIPAA, they can’t provide me the information sent from another provider. Is this right? I authorized the sending to them and isn’t it now part of my current records?

  11. If unsecure email is used by an insurance company to transmit a list of only names (first and last) of its insureds, is this considered PHI? Is it a breach?

  12. I have a quick question:

    Would a Yelp review for a doctor be considered PHI?
    1) The person is obviously identified, often with a picture and name.
    2) The review would indicate a past provision of care.

    Thank you

  13. Are readings from devices (e.g. blood pressure monitor, weighing scales, activity monitors, etc) that are gathered in an app on my phone, and stored on the web, defined as PHI? These are not associated with any medical records and are for my own personal use – nothing to do with insurance or Drs. Should the app or the website be HIPAA compliant?

  14. When my colleague and I are doing rounds and moving thru several patients’ rooms in an hour, he continues to ask me which room is next before we leave the room we are in. I am not comfortable with this but I am unable to find any clear information on whether or not a patient’s room number is included in the demographics and is considered a PHI.. Please provide information specifically relating to speaking one patient’s room number in front of another patient and/or visitors. Thank you.

  15. If a healthcare worker’s family member only has the patient address of the home health patient but not name or diagnosis, is the address considered PHI And subject to hipaa law?

  16. Is the date when a medical test was performed considered health information? This would not include the result of the test – just the date.

  17. My doctor’s office scale is right next to where other patients get free coffee. It is in the open area. It is a digital scale and once you step off the scale the weight still remains for about 10-15 seconds for everyone coming through the hallway or getting coffe to see. Is this a PHI violation?

  18. What about text messaging? Can a nurse text a nurse a patient’s zip code as long as no other identifying info is provided (no name, no phone, etc.)

    Can an agency store a list of patient’s name, address and phone numbers on Google Drive for other employees to access?

  19. We are filing a bankruptcy claim with the court on one of our patients. For the proof of claim, we have to file an itemized statement. I have removed the account number for the patient. Am I able to disclose the procedure names that were performed and the date these services were provided? Also, can I disclose the name of the insurance company that made payment if there is not policy number listed? Thank you.

  20. When I sign in at our local clinic I am asked to provide my name, birthdate, appointment time, date of arrival and doctor. This information is written on an 8×10 paper with every other patient until the page is full. I do not like providing my birthdate and think that this is personally identifiable information that can be seen by every other person signing this paper. Is this a Hipaa violation?

  21. If someone (who is not trained in healthcare) overhears you speaking to a health care professional, does that person then have a right to share that information. In other words, if they eavesdrop, can they share that information?

  22. Does HIPAA/PHI rules apply to completed health plan applications for open enrollment? The applications include Names (spouse and kids), SSN, Credit card payment info, Health plan name with deductible amount, Metal Level. The applications will be faxed to health carriers.
    I want to know after the applications are faxed what security measure I should take when scanning and storing the applications.

  23. can an employer distribute a list with my name (and others in the organization) on it to a group of other employees that reveals my vaccination exemption record?

  24. Question: is it a HIPAA violation for fellow direct care workers at a group home to be picked up and dropped off at the group home? I know it is a violation if they meet or interact with the residents without written permission from their legal guardians, but is it a HIPAA violation? Isn’t the residents address protected information because can be used to identify the residents?
    During two different initial caregiver trainings, HIPAA, one in 2009 and 2014, they indicated that anything that can be used to identify any of the residents was a HIPAA violation. They said that being picked up or dropped off at the recipients residence was a HIPAA violation because the driver could use the address to identify the recipient. During both training sessions they indicated that the caregiver should be dropped off at least two blocks away from the recipient’s residence and that you should make sure the driver doesn’t follow you to the residence. That included your family and taxi drivers as well as bus services.

  25. Can an insurance agent that I don’t know and I am not a client of access my healthcare insurance policy without my consent and use that information to shop policies to market to me? What access do insurance agents have to anyone’s information?

  26. Have a question if I’m calling to a mail order pharmacy and they ask me for my name and dob and I provide that information am I required to also provide my full address? If im providing two identifiers why do I have to provide my full address as well?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>