Protected Health Information Includes All Of The Following Except

Protected Health Information (PHI): Everything You Need to Know, Except What It Doesn't Include

Understanding Protected Health Information (PHI) is crucial in today's digital age, especially with the increasing prevalence of electronic health records and data breaches. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets strict guidelines for the protection of PHI, outlining what constitutes this sensitive data and how it must be handled. This article will delve into the comprehensive definition of PHI, exploring what it includes and, importantly, what it doesn't include. We will explore the intricacies of HIPAA regulations and provide clarity on the boundaries of protected information.

What is Protected Health Information (PHI)?

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. This includes a broad range of information relating to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.

The key element here is individually identifiable health information. This means that the information can be used to identify a specific person. This identification doesn't necessarily require explicit naming; it can be inferred from other pieces of data.

What PHI Includes: A Comprehensive List

HIPAA's definition of PHI encompasses a wide range of data points. Here's a detailed breakdown:

• 18 Identifiers: HIPAA specifically lists 18 identifiers that, when used in conjunction with other health information, can render it individually identifiable. These include:

  • Names
  • All geographic subdivisions smaller than a state, including street address, city, county, precinct, etc.
  • All elements of dates (except year) relating to an individual, including birth date, admission date, discharge date, date of death; and age, if the age is over 89
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images

• Information Regarding Physical or Mental Health: This includes diagnoses, symptoms, test results, treatment plans, and any other information about an individual's physical or mental health status. This extends to past, present, and even future conditions.

• Healthcare Services Provided: This encompasses details about the healthcare services received by an individual, including the type of service, date of service, provider, and location of service.

• Payment Information: This includes details about the payment for healthcare services, such as insurance information, billing codes, and payment amounts.

• Genetic Information: This increasingly important category includes information about an individual's genetic makeup, which can have significant implications for their health and well-being.

• Information from a Covered Entity or Business Associate: The information must be held or transmitted by a covered entity (healthcare provider, health plan, healthcare clearinghouse) or its business associate. This clarifies that not all health information is PHI; it must fall under the purview of these entities.

What PHI Does Not Include: Clarifying the Boundaries

While the scope of PHI is extensive, it's equally important to understand what information is excluded. This helps delineate the boundaries of HIPAA compliance and avoids unnecessary restrictions.

1. De-identified Health Information: This is the most crucial exception. If health information is stripped of all 18 HIPAA identifiers and the remaining information cannot reasonably be used to identify an individual, it's considered de-identified and is not subject to HIPAA regulations. However, it’s critical to follow stringent de-identification procedures to ensure accurate and compliant data handling. The process must be carefully documented to ensure the data's irreversible anonymization.

2. Publicly Available Information: Information that is already publicly available, such as an individual's name and address listed in a telephone directory, is generally not considered PHI. However, even publicly available information should be treated with caution, especially if combined with other health data.

3. Information held by entities not covered under HIPAA: HIPAA regulations only apply to covered entities and their business associates. Health information held by individuals, non-covered healthcare providers, or other entities outside this scope is not considered PHI under HIPAA.

4. Employment Records: While an employer may hold some health information about their employees, such as information related to workers' compensation, this information often falls under other regulations, not specifically HIPAA. The overlap needs careful consideration, and often multiple regulations will apply.

5. Education Records: Health information contained within education records, especially for minors, is usually subject to the Family Educational Rights and Privacy Act (FERPA), not HIPAA.

6. Information related solely to the use or disclosure of PHI: This might seem counterintuitive, but metadata concerning the handling of PHI itself is usually not considered PHI. For example, information on who accessed a record and when doesn’t qualify as PHI on its own. The focus remains on the protected health information itself.

7. Information about a deceased individual, unless it involves a wrongful death claim: HIPAA protections generally don't extend to information about deceased individuals after a reasonable period has passed. However, there are exceptions, especially if the information is relevant to a wrongful death lawsuit.

8. Health information related to research, subject to IRB approval: If the health data is used specifically for research, and safeguards are in place, compliant with Institutional Review Board (IRB) requirements, then it might not fall fully under the purview of HIPAA PHI. This often involves strict anonymization processes.

The Importance of Understanding the Exceptions

Understanding what doesn't constitute PHI is just as crucial as understanding what does. This knowledge ensures that covered entities and business associates don't inadvertently restrict the handling of information that doesn't require the stringent protections of HIPAA. Misinterpreting these boundaries can lead to unnecessary operational constraints and potential legal issues.

Practical Implications and Real-World Scenarios

Let’s consider some practical scenarios to illustrate the nuances of PHI and its exceptions:

• Scenario 1: A hospital publicizes the number of heart attack patients admitted last month, without identifying individuals. This is generally acceptable. The aggregate data is not PHI.

• Scenario 2: A doctor mentions a patient's name and diagnosis in a public lecture, without further identifying details. This could be a HIPAA violation. Although the context is public, the potential identification of the patient through additional information presents risk.

• Scenario 3: A school nurse keeps records of student immunizations, but these records are governed by FERPA and may not necessarily be PHI according to HIPAA regulations.

• Scenario 4: A company's wellness program collects employee data on fitness levels. This information is usually governed by employee privacy regulations, not HIPAA.

These examples highlight the need for careful consideration and potentially seeking legal counsel when handling any data that could potentially be linked to health information.

Conclusion: Navigating the Complexities of PHI

The definition of Protected Health Information (PHI) is complex and multifaceted. Understanding the specific components that constitute PHI, as well as the important exceptions, is paramount for ensuring compliance with HIPAA regulations. The focus is on safeguarding individually identifiable health information while allowing for the appropriate use and disclosure of de-identified data for legitimate purposes such as research and public health reporting. Continuous education and adherence to best practices are essential for protecting patient privacy and maintaining ethical standards in healthcare. This article serves as an educational resource, but always consult with legal professionals for specific guidance related to your particular circumstances.