What is Protected Health Information?

Due to the complexity of the HIPAA Privacy Rule, it can sometimes be difficult to find an accurate answer to the question what is Protected Health Information. This article explains not only what Protected Health Information is, but why it is importantly to fully understand the term´s meaning.  

Protected Health Information is a term frequently used when discussing HIPAA compliance. Yet it appears not everybody understands what is Protected Health Information, judging by online sources that confuse Protected Health Information with “HIPAA identifiers” – the information that should be removed from a designated record set before any remaining information is de-identified. 

However, it is important Covered Entities, Business Associates, and workforces in the healthcare and health insurance industries know what is Protected Health Information in order to comply with the Privacy Rule standards for permissible uses and disclosures, respond to individuals´ access requests, and notify HHS´ Office of Civil Rights of breaches of unsecured Protected Health Information.

So, What Is Protected Health Information? 

To answer the question what is Protected Health Information it is necessary to work backward through the definitions section of the Administrative Simplification Regulation (§160.103). This is because Protected Health Information is defined in the Regulation as “individually identifiable health information […] transmitted by or maintained in electronic media or any other form or medium.” 

So, what is “individually identifiable health information”? Individually identifiable health information is defined in §160.103 as “a subset of health information […] collected from an individual […] that relates to:

• The past, present, or future physical or mental condition of an individual,
• Or the provision of health care to an individual,
• Or the past, present, or future payment for the provision of health care to an individual, 
• THAT identifies the individual or can be used to identify the individual.

The definition of “health information” in §160.103 is similar to that of individually identifiable health information inasmuch as “health information” relates to the past, present, or future condition of a (non-identified) patient, treatment for the condition, or payment for the treatment. However, health information can be “oral or recorded in any form or medium.” Therefore:

• The diagnosis of “a sprained wrist” is health information.
• “Mr. Doe has a sprained wrist” is individually identifiable health information.
• When the words “Mr. Doe has a sprained wrist” are communicated orally, written down, or (for example) entered into an EHR, the diagnosis becomes Protected Health Information.

Designated Record Sets and Protected Health Information

One of the reasons it can sometimes be difficult to find an accurate answer to the question what is Protected Health Information is because many sources of information omit to mention designated record sets – groups of medical and/or billing records maintained by or on behalf of a Covered Entity that are used in whole or in part to make decisions about individuals. 

At this stage it is important to be aware that an individual patient or plan member can have multiple designated record sets – some of which many only include one item of individually identifiable health information. For example, a photograph of a newborn infant on a pediatrician´s “baby wall” is a single item designated record set.

When individually identifiable health information is “maintained in electronic media or any other form or medium” in a designated record set by a HIPAA Covered Entity or Business Associate it is automatically Protected Health Information. Additionally, every other item of information maintained in the same designated record set assumes the same “protected” status.

In the case of Mr. Doe having a sprained wrist, if his address, phone number, and wife´s name are maintained in the same designated record set, these items of information assume the same protected status as the diagnoses of the injury, even though – taken out of context – the information is not relevant to Mr. Doe´s injury, treatment for the injury, or payment for the treatment.

So, What Are HIPAA Identifiers?

It was mentioned in the introduction to this article that some online sources confuse Protected Health Information with “HIPAA identifiers”. But what are HIPAA identifiers? These are any items of information that identify an individual or that can be used to identify an individual when they are maintained in the same designated record set as the individual´s Protected Health Information.

Therefore, returning to Mr. Doe, his phone number, address, and wife´s name are HIPAA identifiers all the time they are maintained in a designated record set pertaining to Mr. Doe. If they are maintained separately from his Protected Health Information, they no longer have a “protected” status under HIPAA – although other state privacy and security laws may apply.

One of the issues with explaining what is Protected Health Information is that many sources believe there are only 18 HIPAA identifiers (as listed in §164.514 of the Privacy Rule). However, it is important to remember that the Privacy Rule was published more than twenty years ago – since when, there are several more ways an individual might be identified.

For example, when the Privacy Rule was published, social media did not exist. But, if an individual has exercised their right to choose how they would like to be contacted, it is possible that a social media handle could exist within their designated record set. If so, this “identifier” assumes a protected status and should be removed before a designated record set is considered deidentified. 

The Importance of Understanding What is Protected Health Information

It was mentioned above it is important Covered Entities, Business Associates, and workforces know what is Protected Health Information in order to comply with the Privacy Rule standards for permissible uses and disclosures, respond to individuals´ access requests, and notify HHS´ Office of Civil Rights of breaches of unsecured Protected Health Information. The reason why it is important to fully understand the term´s meaning is that:

• By protecting more than the necessary information, organizations can obstruct the flow of information and introduce inefficiencies into operations.
• Not knowing that individuals may have more than one designated record set – or not knowing where the record sets are – can delay responses to access requests. 
• Notifying HHS´ Office for Civil Rights of data breaches that do not involve Protected Health Information could waste the organization´s time if HHS decides to investigate.

With regards to the final bullet point, the Breach Notification Rule also requires Covered Entities to notify affected individuals when a breach of unsecured Protected Health Information occurs. Notifying an individual when only individually identifiable non-health information has been disclosed could worry them unnecessarily and may damage the organization´s reputation unnecessarily. 

Ultimately, there are multiple reasons why organizations subject to the HIPAA Privacy, Security, and Breach Notification Rules know what is Protected Health Information and pass that knowledge onto patients and plan members when required. Therefore, if you encounter issues understanding what Protected Health Information is, applying your knowledge in HIPAA compliant policies, or conveying your knowledge to members of the workforce, you are advised to seek expert compliance advice. 

What is Protected Health Information? FAQs