What is Considered PHI Under HIPAA?

by

Protected health information under HIPAA is individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA Covered Entity or Business Associate and relates to an individual’s health condition, healthcare, or payment for healthcare.

Core Elements Of Protected Health Information

Protected health information includes information about an individual’s past, present, or future physical or mental health condition. It includes information about the provision of healthcare to an individual. It includes information about payment for healthcare.

Protected health information exists in any form, including electronic records, paper records, images, audio, and verbal communications.

Identifiers That Make Health Information Individually Identifiable

Health information becomes protected health information when it identifies an individual or provides a reasonable basis to identify the individual. Identifiers can be direct or indirect.

Direct identifiers include name, address, telephone number, email address, account numbers, medical record numbers, and Social Security numbers. Indirect identifiers include full dates linked to an individual, detailed geographic information, unique circumstances, and combinations of facts that allow a person to be recognized.

Examples Of Protected Health Information

Clinical notes, diagnoses, test results, treatment plans, and medication lists are protected health information when linked to an identifiable individual. Appointment records and admission and discharge information are protected health information when linked to an identifiable individual.

Billing records, insurance identifiers, claims information, and payment status information are protected health information when linked to an identifiable individual.

Photographs that identify a patient and images that include patient identifiers are protected health information.

Information That Is Not Protected Health Information

De-identified health information is not protected health information when it meets an accepted HIPAA de-identification method and there is no reasonable basis to identify the individual.

Employment records held by an employer in its capacity as an employer are not protected health information under HIPAA. Information maintained by a school in education records covered by the Family Educational Rights and Privacy Act is not protected health information under HIPAA.

HIPAA Minimum Necessary Rule

The HIPAA Minimum Necessary Rule limits uses, disclosures, and requests for protected health information to the minimum necessary to accomplish the intended purpose when the rule applies.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA