HIPAA.com has received from its readers requests for information on topics related to HIPAA Administrative Simplification Privacy and Security Rules and to updates to those rules reflected in the HITECH Act provisions of the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009. Of particular interest to readers is: what exactly is protected health information (PHI)?
Protected Health Information
To get to protected health information, you have to examine two definitions that were in Section 1171 of Part C of Subtitle F of Public Law 104-191 (August 21, 1996): Health Insurance Portability and Accountability Act of 1996: Administrative Simplification. These statutory definitions are of health information and individually identifiable health information.
“Health information means any information, whether oral or recorded in any form or medium, that–
(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”
“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”
Protected health information is defined in 45 CFR 160.103, where ‘CFR’ means ‘Code of Federal Regulations’, and, as defined, is referenced in Section 13400 of Subtitle D (‘Privacy’) of the HITECH Act.
“Protected health information means individually identifiable health information [defined above]:
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable health information in:
(i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
(iii) Employment records held by a covered entity in its role as employer.”
The HIPAA Privacy Rule covers protected health information in any medium while the HIPAA Security Rule covers electronic protected health information.
With those definitions in place, the question becomes: what elements comprise protected health information such that if they were removed, items (i) and (ii) of (2) in the definition of individually identifiable health information would not obtain. The answer is in the de-identification standard and its two implementation specifications of the HIPAA Privacy Rule [45 CFR 164.514]:
“(a) Standard: de-identification of protected health information. Health information [defined above] that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.
(b) Implementation specifications: requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination; or
(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Censue:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date,, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and
(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
(c) Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:
(1) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
(2) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.”
With HHS’s release of the Interim Final Rule, ‘Breach Notification for Unsecured Protected Health Information,’ published in the Federal Register on Monday, August 24, 2009, note the following: “If information is de-identified in accordance with 45 CFR 164.514(b) [the first implementation specification, defined above], it is not protected health information, and thus, any inadvertent or unauthorized use or disclosure of such information will not be considered a breach for purposes of this subpart.” [74 Federal Register 42743]
Can nurse contact me and then go and tell her daughter that she talked to me because her daughter is in love with my son and I moved my family to another state and she wanted to no if she bring my records to me.
Did the daughter know beforehand where you moved to? As long as no protected health information was given to the daughter that she didn’t already know from your son such as your name, address, etc. Then, it’s OK I would think. But I’m no expert so don’t quote me. I do have an issue however with using her daughter to deliver your records. She could easily open them and read them. They should essentially be mailed to you with a signature request of receipt.
How can my parents get my brothers medical records from his primary care doctor here in Oklahoma? Do we need to have a certain form to get medical records of my deceased brother? We are needing records for a wrongful death suit against his wife and need brothers medical records? Do you have a standard form so we can get court to let us get records?
We don’t have a form we can share for this. Your lawyer should be able to provide some guidance on how to go about obtaining the records. Sorry for your loss.
Is the fact that a patient has died protected health information? Can a clinician notify other staff of the patient’s death by name via text message?
Tom, yes this is protected health information. Additionally, deceased individuals PHI is protected for 50 years after their death.
There are a few exceptions, however. Notification to law enforcement, coroners, organ procurement organizations are exempt. HHS provides some specific guidance on these exemptions here.
Tom – as far as I’m aware, transmitting PHI via text is always a violation of HIPAA, even if it is being sent to people who are in the individuals health care team, it is not encrypted and therefore not secure.
I am dealing with similar situations. I’m a 38 year old woman collecting benefits, I do live on my own. I am my own advocate, the major issues are with my mother.
She is desperately trying to convince my healthcare providers I, well honestly I truly DO NOT KNOW what her intentions are!
I would appreciate any advice on how to STOP HER from using my medical issues against me. She has transmitted private information about my health to a provider. Is she legally allowed to do so? If she is using my medical history to make me seem incompetent , would that be considered decimation of character?
Need info because i am put in a position that i don’t think i should be in, or, anyone has a right to put me . Thank you for your answer and help)
I am an HMO member. I requested a referral to a specialist from my PCP who works for a University Hospital. Two weeks later, a Referral Coordinator called and said she spoke to the HMO by phone about the referral, and the HMO denied it. I never received a written denial from the HMO who deny receiving any request for referral.
Can I view and/or request a copy of the transcript of the phone conversation between the Referral Coordinator and HMO on the basis that it constitutes PHI?
Can my dental office call my work and leave a message on a public answering machine saying that I have a balance that needs to be paid?
If a patient is transferred to another facility, is it a HIPAA violation to disclose where the patient was transferred to to “family members” over the phone?
When using email, from doctor to patient, if the content of the mail is protected, but the email name is still in plain text, is that still considered PHI, and would that need to be obscured. Identification is necessary, is this a risk management decision that is just accepted. Can the use of names as long as other information is protected be used in correspondence.
If a patient of mine is related to my spouse and he sees her name did I violate hipaa? Im a home health nurse & prepare my daily list. He happened to see her name & warned me not to go. Theyve since accused me of violating hipaa.
I am a student at a private university in NY. I recently embarked on an international internship and purchased travel health insurance that was provided by my university. I have since then returned from the internship and I am no longer insured under the travel health insurance policy. Upon my return, I had a question regarding my travel health insurance policy and therefore reached out to the person that coordinated my travel health insurance prior to my departure. She replied to my email and included the Chair of my program. In response to receiving the email, the Chair of my program email me with concern about my health. I am uncomfortable that the Chair of my program has knowledge that I inquired and may or may not have sought behavioral health treatment during my internship.
I believe by including the Chair of my program in the email my confidentially was breached. I would really like to get your professional opinion on this matter. Is the information in my email considered PHI? Did she breach confidentiality? Is this a HIPAA violation? If so, why? If not, why not?
Please see the email correspondence below. My emails begin with “Good Afternoon” and the insurance coordinator’s email begins with “Dear Student”.
Administrative Assistant to the Department of Public Health recommended that I reach out to you in regards to a few questions I had regarding the foreign travel insurance that I purchased for my international internship in Belgrade, Serbia. Your help in this matter is greatly appreciated. I want to know, does this policy cover behavioral health? If so, what is the name of the travel insurance? And what is my policy number?
In response to my email she attached my policy letter and cc’d the Chair of my program and replied to me with the message below
Dear Student –
You should have received a letter indicating your coverage for the plan that was purchased for the trip scheduled for May 28th, 2015 thru July 22nd, 2015 prior to your trip – see attached.
The policy does cover behavioral health (as long as it is considered an emergency visit and not a routine visit.) Only emergency accidents and sicknesses are covered under the study abroad policy.
In response to this email the Chair of my program reached out to me with concern for my health. I replied to the insurance coordinator with the message below
Thank you for this email. I appreciate you getting back to me in a timely matter.
I want to address that I was not comfortable with you sharing my email and your response to my email with the Chair of my program. I considered the information in the email sensitive and thereby expected it to be treated with confidentially.
May I ask why was she cc’d on the email?
She replied to my email with the message below
Dear Student –
As the Director of this program – the advisor should have supplied you with the ‘letter’ from the carrier prior to your trip – that is WHY (she) was copied. There was no indication in your e-mail that this was a confidential matter but simply a QUESTION you were asking – and nothing in my response said otherwise.
Am I justified to believe that by including a third party to the email, the privacy of my health information was violated? Does this go against HIPAA laws?
Thank you for all your help. I look forward to your response.
Is patient gender PHI?
I signed an authorization to release treatment received at the ER of another health care facility to be sent to my current health care provider. It was received but when requested, the current provider won’t provide me a copy. They tell me under HIPAA, they can’t provide me the information sent from another provider. Is this right? I authorized the sending to them and isn’t it now part of my current records?
Technically the physician can refuse to give you records that they received from another provider. Most will go ahead and give it to you. However, because the records themselves are not your provider’s, they are not under any obligation to share them with you.
Cinda wrote in response that “Technically the physician can refuse to give you records that they received from another provider.”
I don’t think this is true. It doesn’t make any sense to me. Under HIPAA, patients have legal rights to their medical records. If a provider receives a record from another provider (e.g., a Transition of Care), the record becomes a part of the new provider’s records, and the patient has the right to receive a copy.
If it were true, there would be a whole slew of restrictions on what information patients could receive and not receive from a provider, depending upon where the information originated (e.g., lab diagnostics, specialist interpretations of results, etc.) and there would be a huge burden on the provider to perform and keep a detailed information tracking history.
If unsecure email is used by an insurance company to transmit a list of only names (first and last) of its insureds, is this considered PHI? Is it a breach?
I have a quick question:
Would a Yelp review for a doctor be considered PHI?
1) The person is obviously identified, often with a picture and name.
2) The review would indicate a past provision of care.
(Assuming that it is not being posted by someone who works in the Doctor’s office.)
It would not qualify because it does not meet the first condition:
Yelp is none of these things.
If they are doing the YELP review for their own service, they can provide as little or as much protected health information that they want. I can tell whoever I wish about any medical condition I have. It is mine to tell. However, I cannot tell anyone about any medical condition and/or treatment that YOU have had.
Are readings from devices (e.g. blood pressure monitor, weighing scales, activity monitors, etc) that are gathered in an app on my phone, and stored on the web, defined as PHI? These are not associated with any medical records and are for my own personal use – nothing to do with insurance or Drs. Should the app or the website be HIPAA compliant?
They are not legally required to be HIPAA compliant, however, it is strongly in your interest to use an app/service that claims to be HIPAA compliant anyway.
When my colleague and I are doing rounds and moving thru several patients’ rooms in an hour, he continues to ask me which room is next before we leave the room we are in. I am not comfortable with this but I am unable to find any clear information on whether or not a patient’s room number is included in the demographics and is considered a PHI.. Please provide information specifically relating to speaking one patient’s room number in front of another patient and/or visitors. Thank you.
I think you are right in being concerned about health information communicated verbally, which is protected; however, if it is only a room number, I doubt that it would qualify as PHI.
If a healthcare worker’s family member only has the patient address of the home health patient but not name or diagnosis, is the address considered PHI And subject to hipaa law?
Is the date when a medical test was performed considered health information? This would not include the result of the test – just the date.
My doctor’s office scale is right next to where other patients get free coffee. It is in the open area. It is a digital scale and once you step off the scale the weight still remains for about 10-15 seconds for everyone coming through the hallway or getting coffe to see. Is this a PHI violation?
What about text messaging? Can a nurse text a nurse a patient’s zip code as long as no other identifying info is provided (no name, no phone, etc.)
Can an agency store a list of patient’s name, address and phone numbers on Google Drive for other employees to access?
We are filing a bankruptcy claim with the court on one of our patients. For the proof of claim, we have to file an itemized statement. I have removed the account number for the patient. Am I able to disclose the procedure names that were performed and the date these services were provided? Also, can I disclose the name of the insurance company that made payment if there is not policy number listed? Thank you.
When I sign in at our local clinic I am asked to provide my name, birthdate, appointment time, date of arrival and doctor. This information is written on an 8×10 paper with every other patient until the page is full. I do not like providing my birthdate and think that this is personally identifiable information that can be seen by every other person signing this paper. Is this a Hipaa violation?
It may be. It is unusual to ask for a DOB on a sign-in form.
However, you don’t have to write your DOB down. If asked by a receptionist, you can tell them you will provide it in a more private manner if it is needed.
If someone (who is not trained in healthcare) overhears you speaking to a health care professional, does that person then have a right to share that information. In other words, if they eavesdrop, can they share that information?
Yes. The third party in question has no obligation to uphold your legal obligations.
By discussing such information where it can be overheard by a third party you may have violated HIPAA disclosure rules.
Does HIPAA/PHI rules apply to completed health plan applications for open enrollment? The applications include Names (spouse and kids), SSN, Credit card payment info, Health plan name with deductible amount, Metal Level. The applications will be faxed to health carriers.
I want to know after the applications are faxed what security measure I should take when scanning and storing the applications.
can an employer distribute a list with my name (and others in the organization) on it to a group of other employees that reveals my vaccination exemption record?
Question: is it a HIPAA violation for fellow direct care workers at a group home to be picked up and dropped off at the group home? I know it is a violation if they meet or interact with the residents without written permission from their legal guardians, but is it a HIPAA violation? Isn’t the residents address protected information because can be used to identify the residents?
During two different initial caregiver trainings, HIPAA, one in 2009 and 2014, they indicated that anything that can be used to identify any of the residents was a HIPAA violation. They said that being picked up or dropped off at the recipients residence was a HIPAA violation because the driver could use the address to identify the recipient. During both training sessions they indicated that the caregiver should be dropped off at least two blocks away from the recipient’s residence and that you should make sure the driver doesn’t follow you to the residence. That included your family and taxi drivers as well as bus services.
The training may have been on the conservative side so as to protect against any lawsuits in all cases.
HIPAA 45 CFR 160.103 says that PHI involves information “that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.”
I think that an address of a group home would be unlikely to identify an individual, unless the group home had only one individual. Same thing with a private residence.
That was my initial reading of “individually identifiable” information; however, I think the common practice is to use the “individual identifiers” in the de-identification standard and implementation specifications of HIPAA (45 CFR 164.514), which includes street address:
“All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes…”
Can an insurance agent that I don’t know and I am not a client of access my healthcare insurance policy without my consent and use that information to shop policies to market to me? What access do insurance agents have to anyone’s information?
Have a question if I’m calling to a mail order pharmacy and they ask me for my name and dob and I provide that information am I required to also provide my full address? If im providing two identifiers why do I have to provide my full address as well?
Presumably since it is a mail order pharmacy they need your address to know where to ship your prescriptions.
However in the case that you may be shipping your medications to a post office box, it would still be required as a measure for preventing fraud.
Additionally most states and some localities in the US have reporting requirements for pharmacies for certain controlled substances such as opioids. They would need your address to know which where to report the sale.
I was dropped from my PCP office for 3 missed appointments. I was told this in the waiting room where other patients were waiting. I was addressed by my full name and my street name was mentioned by the nurse as well (she was telling me that a certified letter was sent and she said it was sent to “the street name”). Is this not considered PHI?
I have primary physical custody of my son. His mom works at a medical billing company and has access to health insurance information. She routinely changes my sons health insurance to be difficult. Apparently because she knows the social security # and all relevant information, she is permitted to make the changes. Is our health insurance information protected under hippo?
I work in a medical spa where we do botox, fillers, facials, and lasers.
Our patients love to text our aestheticians pictures after treatment or text about making appointments. What are our limitations? It is hard to prevent the patient from texting pics if they already know the aestheticians cell phone number
When storing PHI, does it matter if the information was volunteered by a patient or someone close to the patient? I believe not, but some in my organization are saying that in that case it’s not PHI. When we pay for something with a credit card we are volunteering our credit information but it’s still covered by PCI. I think it’s the same for PHI.
My wife and I go to a center and both of us see separate therapist. My wife always asks her therapist to check to see if i have scheduled a session with my therapist and if I actually went to my session. She her therapist be giving my wife this information without my consent?
No. The therapist can only give this information if you have signed a Release of Information (ROI) indicating it is ok to release this info to her. The ROI should specify what can be shared and to whom. So you can make the ROI as specific or broad as you like (i.e. you can specify that your wife have access to all of your records, or she can only have knowledge of your scheduled appointments, or anything in between). Or if you do not want to sign one at all, you do not have to.
Just because she already knows you go there, does not mean she can have further related information. If she is indeed doing this, I would contact the center and ask to speak to whomever is in charge of their compliance program. If it is a small office, bring it up to your therapist that you believe your PHI is being shared without your consent.
On an invoice to a Business Associate with this format:
Date – Account number – Patient Name – CPT CODE – CPT description – Price
Can this be sent to a Business Associate unencrypted (web based email)?
This would most likely be a violation of HIPAA if the web-based email does not use secure transmission.
I know that a name is a de-identifier and a date of birth is also a de-identifier but for a health care provider when the two are combined would that be consider PHI?
If a breech is done in our office who needs to be contacted? The patient, government, ect? What records of this do we need to keep? i was told that we did not need to do anything unless it was bulk, but i find that hard to believe, there must be individual breechment instructions somewhere???
I want to create a Refer-a-Friend program (for a dental practice) that will be managed by a third party marketing agency.
The third party needs only my patient names and addresses to do an on-going e-mail campaign, no PHI will be given to the third party — just name and e-mail address.
Because I am ‘marketing” to my own list, and I am NOT “marketing” any third party products, and I am not receiving any third party payment for anything:
* Am I in any HIPAA danger? (No PHI is ever exchanged, and I am NOT marketing anyone else’s product.)
* Because my PHI is disidentified from any associated names and e-mail addresses, is it OK for me to hand over my patient mail list to my marketing agency (being very careful of course to include NO PHI)?
* Does HIPAA specifically prevent me from marketing my own products to my patient list? I know that marketing other people’s products to my list will require prior consent. But, marketing my own Refer-a-Friend program… how is that a violation?
NOTE: PHI is defined as: “(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”
So, is a mail list of my patients’ names and e-mail addresses considered to be PHI (if it contains no associated PHI as defined above)? The definition above would say NO, names and addresses are not PHI. The definition above states that it is ONLY the health information ABOUT a patient — NOT the patient’s name and e-mail addresses themselves.
This is a very important distinction. Having clarity on this question could free up a lot of us to proceed with e-mail marketing.
Can you clarify?
Are you violating HIPPA by showing a photo with the only thing showing is the license plate number and the vehicle?
Please consider this possible scenario. An RN that works for a home care agency is approached by someone who wants to know if the agency cares for people with a specific diagnosis (let’s say late-stage Parkinson’s disease). The RN confirms not only that the agency works with people with this condition, but that the RN currently treats a client with this condition and has some working knowledge of the disease process. So, a diagnosis and association with a specific agency, and even a specific RN were revealed. No other personal identifying information was revealed. The agency is a relatively large one that serves an area covering 4 counties with a combined population of over 400,000 people. In your estimation, has a HIPAA viloation been committed?
This does not appear to include or disclose individually identifiable information. A surgeon could say, “I just performed open heart surgery on a patient.” It’s not individually identifiable. If it were combined with other information so that it could be used to identify the patient, that would be another matter.
Is DOB, alone, considered PHI? If a patient’s DOB is reported and there is no other patient identifier, is this considered PHI?
The risk of being able to identify a patient with just DOB is very low, but just want to understand which identifiers are consider PHI as “stand alone” ie. SSN and which identifiers are not and are only considered PHI if in combination with other identifiers.
If Hospital wants to send appointment reminders to their customers via SMS, with a non-specific message such as “This is a reminder that you have an appointment tomorrow at 8:00 am.”
And essentially the only information the texting service has access to is a Cell-phone number (no name or specifics etc.), is the telephone number individually identifiable information?
AKA is the cell phone number PHI, if not related to a patient name or any other information (other than their appointment time)?
The risk of being able to identify the patient with just DOB is very low, but just want to understand Which Identifiers are PHI consider the “stand alone”
This is serious?
My office uses google for e-mail it is NOT secure. Can we use the patients medical record number for our system in a e-mail?
Can a health plan provide the phone number to a unauthorized person for the members IPA, after that person has given them the information that the member has the said IPA?
My doctors receptionist likes to verify my address, phone # and insurance company when I check in for my appointments. She does this in a loud clear voice which can be heard by everyone in the waiting room. When I asked about it she said that is part of her job. Before I press the question with my physician is this considered PHI by HIPPA?
With all of the electronic submissions and requests occurring I would like to know where to find specific information on HIPAA concerning what type of “signature” from an individual should appear on a Request for Information Form or Release of Information Form – if it is being sent electronically by a large agency.