What is Protected Health Information?
The simple answer is ANY information that can be used to identify you from your Protected Health Information (PHI). A total of 18 unique identifiers and must be removed to meet the “Safe Harbor” method.
PHI as defined by US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of healthcare, or payment for healthcare that is created or collected by healthcare organizations, referred to as Covered Entities (CEs) (or a Business Associates (BAs)), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history[i].
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a CE or its BA, in any form or medium by a CE or its BA, whether electronic, on paper, or oral. The Privacy Rule calls this information PHI [ii].
Section § 164.514(a) of the Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual.
Sections 164.514(b) and(c) contain the implementation specifications that offer two methods to achieve de-identification in accordance with the HIPAA Privacy Rule.
The first is the “Expert Determination” method:
CEs or BAs may use the Expert Determination method to verify PHI is not individually identifiable health information only if they are able to provide assurances of the following:
1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable;
a) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
b) Documents the methods and results of the analysis that justify such determination;
The second is the “Safe Harbor” method:
The Safe Harbor method is used to de-identify PHI by removing specific identifiers from the data sets. The following list of 18 identifiers and must be removed!
Example of PHI include a medical record, laboratory report, or hospital bill because each document contains a patient’s name and/or other identifying information associated with the health data content.
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
Both methods, even when properly applied, yield de-identified data that retains some risk of identification. Although the risk is very small, it is not zero, and there is a possibility that de-identified data could be linked back to the identity of the patient to which it corresponds.
Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.
For information on de-identification of PHI by Expert Determination, 45 CFR § 164.514(b)(1) & Safe Harbor § 164.514(b)(2) is available @ the U.S. Department of Health and Human Services’ Office for Civil Rights.
Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!
[ii] Protected health information (PHI) is defined as individually identifiable health information transmitted or maintained by a covered entity or its business associates in any form or medium (45 CFR 160.103). The definition exempts a small number of categories of individually identifiable health information, such as individually identifiable health information found in employment records held by a Covered Entity in its role as an employer.