45 comments on “HIPAA ‘Protected Health Information’: What Does PHI Include?”

  1. Can nurse contact me and then go and tell her daughter that she talked to me because her daughter is in love with my son and I moved my family to another state and she wanted to no if she bring my records to me.

    1. Did the daughter know beforehand where you moved to? As long as no protected health information was given to the daughter that she didn’t already know from your son such as your name, address, etc. Then, it’s OK I would think. But I’m no expert so don’t quote me. I do have an issue however with using her daughter to deliver your records. She could easily open them and read them. They should essentially be mailed to you with a signature request of receipt.

  2. How can my parents get my brothers medical records from his primary care doctor here in Oklahoma? Do we need to have a certain form to get medical records of my deceased brother? We are needing records for a wrongful death suit against his wife and need brothers medical records? Do you have a standard form so we can get court to let us get records?

    1. We don’t have a form we can share for this. Your lawyer should be able to provide some guidance on how to go about obtaining the records. Sorry for your loss.

  3. Is the fact that a patient has died protected health information? Can a clinician notify other staff of the patient’s death by name via text message?

    1. Tom, yes this is protected health information. Additionally, deceased individuals PHI is protected for 50 years after their death.

      There are a few exceptions, however. Notification to law enforcement, coroners, organ procurement organizations are exempt. HHS provides some specific guidance on these exemptions here.

    2. Tom – as far as I’m aware, transmitting PHI via text is always a violation of HIPAA, even if it is being sent to people who are in the individuals health care team, it is not encrypted and therefore not secure.

      1. I am dealing with similar situations. I’m a 38 year old woman collecting benefits, I do live on my own. I am my own advocate, the major issues are with my mother.
        She is desperately trying to convince my healthcare providers I, well honestly I truly DO NOT KNOW what her intentions are!
        I would appreciate any advice on how to STOP HER from using my medical issues against me. She has transmitted private information about my health to a provider. Is she legally allowed to do so? If she is using my medical history to make me seem incompetent , would that be considered decimation of character?

        1. Need info because i am put in a position that i don’t think i should be in, or, anyone has a right to put me . Thank you for your answer and help)

  4. I am an HMO member. I requested a referral to a specialist from my PCP who works for a University Hospital. Two weeks later, a Referral Coordinator called and said she spoke to the HMO by phone about the referral, and the HMO denied it. I never received a written denial from the HMO who deny receiving any request for referral.
    Can I view and/or request a copy of the transcript of the phone conversation between the Referral Coordinator and HMO on the basis that it constitutes PHI?

  5. Can my dental office call my work and leave a message on a public answering machine saying that I have a balance that needs to be paid?

  6. If a patient is transferred to another facility, is it a HIPAA violation to disclose where the patient was transferred to to “family members” over the phone?

  7. When using email, from doctor to patient, if the content of the mail is protected, but the email name is still in plain text, is that still considered PHI, and would that need to be obscured. Identification is necessary, is this a risk management decision that is just accepted. Can the use of names as long as other information is protected be used in correspondence.

  8. If a patient of mine is related to my spouse and he sees her name did I violate hipaa? Im a home health nurse & prepare my daily list. He happened to see her name & warned me not to go. Theyve since accused me of violating hipaa.

  9. I am a student at a private university in NY. I recently embarked on an international internship and purchased travel health insurance that was provided by my university. I have since then returned from the internship and I am no longer insured under the travel health insurance policy. Upon my return, I had a question regarding my travel health insurance policy and therefore reached out to the person that coordinated my travel health insurance prior to my departure. She replied to my email and included the Chair of my program. In response to receiving the email, the Chair of my program email me with concern about my health. I am uncomfortable that the Chair of my program has knowledge that I inquired and may or may not have sought behavioral health treatment during my internship.

    I believe by including the Chair of my program in the email my confidentially was breached. I would really like to get your professional opinion on this matter. Is the information in my email considered PHI? Did she breach confidentiality? Is this a HIPAA violation? If so, why? If not, why not?

    Please see the email correspondence below. My emails begin with “Good Afternoon” and the insurance coordinator’s email begins with “Dear Student”.

    Good Afternoon
    Administrative Assistant to the Department of Public Health recommended that I reach out to you in regards to a few questions I had regarding the foreign travel insurance that I purchased for my international internship in Belgrade, Serbia. Your help in this matter is greatly appreciated. I want to know, does this policy cover behavioral health? If so, what is the name of the travel insurance? And what is my policy number?

    In response to my email she attached my policy letter and cc’d the Chair of my program and replied to me with the message below

    Dear Student –
    You should have received a letter indicating your coverage for the plan that was purchased for the trip scheduled for May 28th, 2015 thru July 22nd, 2015 prior to your trip – see attached.

    The policy does cover behavioral health (as long as it is considered an emergency visit and not a routine visit.) Only emergency accidents and sicknesses are covered under the study abroad policy.

    Regards,

    In response to this email the Chair of my program reached out to me with concern for my health. I replied to the insurance coordinator with the message below

    Good Afternoon,
    Thank you for this email. I appreciate you getting back to me in a timely matter.
    I want to address that I was not comfortable with you sharing my email and your response to my email with the Chair of my program. I considered the information in the email sensitive and thereby expected it to be treated with confidentially.
    May I ask why was she cc’d on the email?

    She replied to my email with the message below

    Dear Student –
    As the Director of this program – the advisor should have supplied you with the ‘letter’ from the carrier prior to your trip – that is WHY (she) was copied. There was no indication in your e-mail that this was a confidential matter but simply a QUESTION you were asking – and nothing in my response said otherwise.

    Am I justified to believe that by including a third party to the email, the privacy of my health information was violated? Does this go against HIPAA laws?

    Thank you for all your help. I look forward to your response.

  10. I signed an authorization to release treatment received at the ER of another health care facility to be sent to my current health care provider. It was received but when requested, the current provider won’t provide me a copy. They tell me under HIPAA, they can’t provide me the information sent from another provider. Is this right? I authorized the sending to them and isn’t it now part of my current records?

    1. Technically the physician can refuse to give you records that they received from another provider. Most will go ahead and give it to you. However, because the records themselves are not your provider’s, they are not under any obligation to share them with you.

  11. If unsecure email is used by an insurance company to transmit a list of only names (first and last) of its insureds, is this considered PHI? Is it a breach?

  12. I have a quick question:

    Would a Yelp review for a doctor be considered PHI?
    1) The person is obviously identified, often with a picture and name.
    2) The review would indicate a past provision of care.

    Thank you

    1. No.
      (Assuming that it is not being posted by someone who works in the Doctor’s office.)

      It would not qualify because it does not meet the first condition:

      (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse;

      Yelp is none of these things.

    2. If they are doing the YELP review for their own service, they can provide as little or as much protected health information that they want. I can tell whoever I wish about any medical condition I have. It is mine to tell. However, I cannot tell anyone about any medical condition and/or treatment that YOU have had.

  13. Are readings from devices (e.g. blood pressure monitor, weighing scales, activity monitors, etc) that are gathered in an app on my phone, and stored on the web, defined as PHI? These are not associated with any medical records and are for my own personal use – nothing to do with insurance or Drs. Should the app or the website be HIPAA compliant?

  14. When my colleague and I are doing rounds and moving thru several patients’ rooms in an hour, he continues to ask me which room is next before we leave the room we are in. I am not comfortable with this but I am unable to find any clear information on whether or not a patient’s room number is included in the demographics and is considered a PHI.. Please provide information specifically relating to speaking one patient’s room number in front of another patient and/or visitors. Thank you.

  15. If a healthcare worker’s family member only has the patient address of the home health patient but not name or diagnosis, is the address considered PHI And subject to hipaa law?

  16. Is the date when a medical test was performed considered health information? This would not include the result of the test – just the date.

  17. My doctor’s office scale is right next to where other patients get free coffee. It is in the open area. It is a digital scale and once you step off the scale the weight still remains for about 10-15 seconds for everyone coming through the hallway or getting coffe to see. Is this a PHI violation?

  18. What about text messaging? Can a nurse text a nurse a patient’s zip code as long as no other identifying info is provided (no name, no phone, etc.)

    Can an agency store a list of patient’s name, address and phone numbers on Google Drive for other employees to access?

  19. We are filing a bankruptcy claim with the court on one of our patients. For the proof of claim, we have to file an itemized statement. I have removed the account number for the patient. Am I able to disclose the procedure names that were performed and the date these services were provided? Also, can I disclose the name of the insurance company that made payment if there is not policy number listed? Thank you.

  20. When I sign in at our local clinic I am asked to provide my name, birthdate, appointment time, date of arrival and doctor. This information is written on an 8×10 paper with every other patient until the page is full. I do not like providing my birthdate and think that this is personally identifiable information that can be seen by every other person signing this paper. Is this a Hipaa violation?

  21. If someone (who is not trained in healthcare) overhears you speaking to a health care professional, does that person then have a right to share that information. In other words, if they eavesdrop, can they share that information?

    1. Yes. The third party in question has no obligation to uphold your legal obligations.

      By discussing such information where it can be overheard by a third party you may have violated HIPAA disclosure rules.

  22. Does HIPAA/PHI rules apply to completed health plan applications for open enrollment? The applications include Names (spouse and kids), SSN, Credit card payment info, Health plan name with deductible amount, Metal Level. The applications will be faxed to health carriers.
    I want to know after the applications are faxed what security measure I should take when scanning and storing the applications.
    Best,
    Alex

  23. can an employer distribute a list with my name (and others in the organization) on it to a group of other employees that reveals my vaccination exemption record?

  24. Question: is it a HIPAA violation for fellow direct care workers at a group home to be picked up and dropped off at the group home? I know it is a violation if they meet or interact with the residents without written permission from their legal guardians, but is it a HIPAA violation? Isn’t the residents address protected information because can be used to identify the residents?
    During two different initial caregiver trainings, HIPAA, one in 2009 and 2014, they indicated that anything that can be used to identify any of the residents was a HIPAA violation. They said that being picked up or dropped off at the recipients residence was a HIPAA violation because the driver could use the address to identify the recipient. During both training sessions they indicated that the caregiver should be dropped off at least two blocks away from the recipient’s residence and that you should make sure the driver doesn’t follow you to the residence. That included your family and taxi drivers as well as bus services.

  25. Can an insurance agent that I don’t know and I am not a client of access my healthcare insurance policy without my consent and use that information to shop policies to market to me? What access do insurance agents have to anyone’s information?

  26. Have a question if I’m calling to a mail order pharmacy and they ask me for my name and dob and I provide that information am I required to also provide my full address? If im providing two identifiers why do I have to provide my full address as well?

    1. Presumably since it is a mail order pharmacy they need your address to know where to ship your prescriptions.

      However in the case that you may be shipping your medications to a post office box, it would still be required as a measure for preventing fraud.

      Additionally most states and some localities in the US have reporting requirements for pharmacies for certain controlled substances such as opioids. They would need your address to know which where to report the sale.

  27. I was dropped from my PCP office for 3 missed appointments. I was told this in the waiting room where other patients were waiting. I was addressed by my full name and my street name was mentioned by the nurse as well (she was telling me that a certified letter was sent and she said it was sent to “the street name”). Is this not considered PHI?

  28. I have primary physical custody of my son. His mom works at a medical billing company and has access to health insurance information. She routinely changes my sons health insurance to be difficult. Apparently because she knows the social security # and all relevant information, she is permitted to make the changes. Is our health insurance information protected under hippo?

  29. I work in a medical spa where we do botox, fillers, facials, and lasers.
    Our patients love to text our aestheticians pictures after treatment or text about making appointments. What are our limitations? It is hard to prevent the patient from texting pics if they already know the aestheticians cell phone number

  30. When storing PHI, does it matter if the information was volunteered by a patient or someone close to the patient? I believe not, but some in my organization are saying that in that case it’s not PHI. When we pay for something with a credit card we are volunteering our credit information but it’s still covered by PCI. I think it’s the same for PHI.

  31. My wife and I go to a center and both of us see separate therapist. My wife always asks her therapist to check to see if i have scheduled a session with my therapist and if I actually went to my session. She her therapist be giving my wife this information without my consent?

    1. No. The therapist can only give this information if you have signed a Release of Information (ROI) indicating it is ok to release this info to her. The ROI should specify what can be shared and to whom. So you can make the ROI as specific or broad as you like (i.e. you can specify that your wife have access to all of your records, or she can only have knowledge of your scheduled appointments, or anything in between). Or if you do not want to sign one at all, you do not have to.
      Just because she already knows you go there, does not mean she can have further related information. If she is indeed doing this, I would contact the center and ask to speak to whomever is in charge of their compliance program. If it is a small office, bring it up to your therapist that you believe your PHI is being shared without your consent.

  32. On an invoice to a Business Associate with this format:

    Date – Account number – Patient Name – CPT CODE – CPT description – Price

    Can this be sent to a Business Associate unencrypted (web based email)?

Leave a Reply

Your email address will not be published. Required fields are marked *