Which of the following is not an example of protected health information PHI )?

Posted By on Jan 28, 2022

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA?

What is Considered PHI Under HIPAA Rules?

To best explain what is considered PHI under HIPAA compliance rules, it is necessary to review the definitions section of the Administrative Simplification Regulations (§160.103) starting with health information. According to this section, health information means any information, including genetic information, whether oral or recorded in any form or medium, that:

“Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”

From here, we need to progress to the definition of individually identifiable health information which states “individually identifiable health information […] is a subset of health information, including demographic information collected from an individual [that] is created or received by a health care provider, health plan, employer, or health care clearinghouse […] and that identifies the individual or […] can be used to identify the individual.”

Get The HIPAACompliance Checklist

Free and Immediate Download

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Finally, we move onto the definition of protected health information, which states “protected health information means individually identifiable health information transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium”.

An Explanation of what is Considered PHI under HIPAA

The way to explain what is considered PHI under HIPAA is that health information is any information relating a patient´s condition, the past, present, or future provision of healthcare, or payment thereof. It becomes individually identifiable health information when identifiers are included in the same record set, and it becomes protected when it is transmitted or maintained in any form (by a covered entity).

Generally, HIPAA covered entities are limited to health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards. The standards can be found in Subparts I to S of the HIPAA Administrative Data Standards. Therefore:

• “A broken leg” is health information.
• “Mr. Jones has a broken leg” is individually identifiable health information.
• If a covered entity records “Mr. Jones has a broken leg” the health information is protected.

Where do Business Associates Enter the Equation?

As well as covered entities having to understand what is considered PHI under HIPAA, it is also important that business associates are aware of how PHI is defined. This is because any individually identifiable health information created, received, maintained, or transmitted by a business associate in the provision of a service for or on behalf of a covered entity is also protected.

Business associates are required to comply with the Security and Breach Notification Rules when providing a service to or on behalf of a covered entity. However, depending on the nature of service being provided, business associates may also need to comply with parts of the Administrative Requirements and the Privacy Rule depending on the content of the Business Associate Agreement.

When is PHI not PHI?

There is a common misconception that all health information is considered PHI under HIPAA, but this is not the case.

First, it depends on whether an identifier is included in the same record set. Under HIPAA, PHI ceases to be PHI if it is stripped of all identifiers that can tie the information to an individual. If identifiers are removed, the health information is referred to as de-identified PHI. HIPAA does not apply to de-identified PHI, and the information can be used or disclosed without violating any HIPAA Rules.

Health information is also not PHI when it is created, received, maintained, or transmitted by an entity not subject to the HIPAA Rules. For example, even though schools and colleges may have medical facilities, health information relating to students is covered by the Family Educational Rights and Privacy Act (FERPA) which preempts HIPAA due to stronger protections and rights.

Health information maintained by employers as part of an employee´s employment record is not considered PHI under HIPAA. However, employers that administer a self-funded health plan do have to meet certain requirements with regards to keeping employment records separate from health plan records in order to avoid impermissible disclosures of PHI.

It is important to be aware that exceptions to these examples exist. One of the most complicated examples relates to developers, vendors, and service providers for personal health devices that create, collect, maintain, or transmit health information. Entities related to personal health devices are not covered entities or business associates under HIPAA unless they are contracted to provide a service for or on behalf of a covered entity or business associate.

However, entities related to personal health devices are required to comply with the Breach Notification Rule under Section 5 of the Federal Trade Commission Act if a breach of unsecured PHI occurs. This means that, although entities related to personal health devices do not have to comply with the Privacy and Security Rules, it is necessary for these entities to know what is considered PHI under HIPAA in order to comply with the Breach Notification Rule.

The complexity of determining if information is considered PHI under HIPAA implies that both medical and non-medical workforce members should receive HIPAA training on the definition of PHI. It is also important for all members of the workforce to know which standards apply when state laws offer greater protections to PHI or have more individual rights than HIPAA, as these laws will preempt HIPAA.

What is Considered PHI Under HIPAA FAQs

What is the difference between PHI and ePHI?

The different between PHI and ePHI is that ePHI refers to Protected Health Information that is created, used, shared, or stored electronically – for example on an Electronic Health Record, in the content of an email, or in a cloud database. Both PHI and ePHI are subject to the same protections under the HIPAA Privacy Rule, while the HIPAA Security Rule and the HITECH Act mostly relate to ePHI.

Does the Privacy Rule apply to both paper and electronic health information?

Due to the language used in the original Health Insurance Portability and Accountability Act, there is a misconception that HIPAA only applies to electronic health records. While the protection of electronic health records was addressed in the HIPAA Security Rule, the Privacy Rule applies to all types of health information regardless of whether it is stored on paper or electronically, or communicated orally.

If an individual calls a dental surgery to make an appointment and leaves their name and telephone number, is that PHI?

No, because although names and telephone numbers are individual identifiers, at the time the individual calls the dental surgery there is no health information associated with them. Only once the individual undergoes treatment, and their name and telephone number are added to the treatment record, does that information become Protect Health Information.

How can future health information about medical conditions be considered “protected”?

Future health information can include prognoses, treatment plans, and rehabilitation plans that – if altered, deleted, or accessed without authorization – could have significant implications for a patient. For this reason, future health information must be protected in the same way as past or present health information.

Does the Privacy Rule apply when medical professionals are discussing a patient´s healthcare?

Although PHI can be shared without authorization for the provision of treatment, when medical professionals discuss a patient´s healthcare, it must be done in private (i.e. not within earshot of the general public) and the Minimum Necessary Standard applies – the rule that limits the sharing of PHI to the minimum necessary to accomplish the intended purpose.

If a medical professional discusses a patient´s treatment with the patient´s employer, is that information protected?

That depends on the circumstances. Usually a patient will have to give their consent for a medical professional to discuss their treatment with an employer; and unless the discussion concerns payment for treatment or the employer is acting as an intermediary between the patient and a health plan, it is not a HIPAA-covered transaction. However, while not PHI, the employer may be required to keep the nature of the discussion confidential under other federal or state laws (i.e. ADA, FCRA, etc.).

Get The HIPAACompliance Checklist

Free and Immediate Download

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy