Is orally communicated health information PHI?

Technically, orally communicated health information is not PHI unless it is recorded. Then the recording of the communication becomes PHI. However, oral communications are still governed by the permissible uses and disclosures and the Minimum Necessary standards of the Privacy Rule, and complaints have been made to HHS´ Office for Civil Rights about oral violations of HIPAA.

How many HIPAA identifiers are there now?

The Department of Health & Human Services has not provided any recent guidance relating to HIPAA identifiers. However, other non-health related information that could be maintained in a designated record set might include details of an emotional support animal. If the subject of the record set could be identified by the emotional support animal, this information also assumes protected status.

Why should patients know what is Protected Health Information?

It can help to let your patients or plan members know that not every item of information collected by an organization necessarily assumes protected status. For example, a name, address, and telephone number maintained in a directory and separated from any health information is not protected. Therefore, if this information was disclosed, it would not be a violation of HIPAA.

How can future information about a patient be protected?

“Future” information can relate to (for example) post-operative care plans or the future long term deterioration of a condition – information that could be used to commit identity theft and insurance fraud if it were to be acquired by an unauthorized individual who could monetize the information. This is why it has the same protections as past and present information.

What is Protected Health Information

Protected health information is individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA Covered Entity or Business Associate and relates to an individual’s health condition, healthcare, or payment for healthcare.

Elements That Make Information Protected Health Information

Information is protected health information when it meets two conditions.

The information relates to an individual’s past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare.
The information identifies the individual or provides a reasonable basis to identify the individual.

Protected health information exists in any format, including paper records, electronic records, images, audio, video, and verbal communications.

Identifiers Associated With Protected Health Information

Identifiers can be direct identifiers or indirect identifiers.

Direct identifiers include name, address, telephone number, email address, Social Security number, medical record number, health plan beneficiary number, account numbers, certificate or license numbers, and photographs that identify the individual.

Indirect identifiers include full dates linked to an individual, detailed location information, unique job roles or public visibility in small communities, rare diagnoses, unusual procedures, distinctive injuries, and combinations of facts that allow the individual to be recognized.

Common Examples Of Protected Health Information

Clinical documentation such as progress notes, diagnoses, lab results, imaging reports, medications, and care plans are protected health information when linked to an identifiable individual.

Operational records such as appointment schedules, admission and discharge information, care coordination communications, and referral documentation are protected health information when linked to an identifiable individual.

Financial and administrative records such as claims, explanations of benefits, billing statements, payment status, and prior authorization documentation are protected health information when linked to an identifiable individual.

Photographs, video, and audio recordings are protected health information when the patient is identifiable or when contextual details allow identification.

Information That Is Not Protected Health Information

De-identified health information is not protected health information when it meets a recognized HIPAA de-identification method and the remaining data does not provide a reasonable basis to identify the individual.

Employment records held by an employer in its capacity as an employer are not protected health information under HIPAA.

Education records covered by the Family Educational Rights and Privacy Act are not protected health information under HIPAA.

Relationship To HIPAA Rules

The HIPAA Privacy Rule governs permitted uses and disclosures of protected health information and establishes individual rights. The HIPAA Security Rule establishes safeguards for electronic protected health information. The HIPAA Breach Notification Rule establishes notification duties for breaches of unsecured protected health information.

The HIPAA Minimum Necessary Rule limits uses, disclosures, and requests for protected health information to the minimum necessary to accomplish the intended purpose when the rule applies.

Business Associate Handling Of Protected Health Information

A Business Associate handles protected health information when it creates, receives, maintains, or transmits protected health information on behalf of a HIPAA Covered Entity. Business Associate access and use of protected health information is governed by the Business Associate Agreement and applicable HIPAA requirements.

All staff in a HIPAA Business Associate must receive HIPAA training. All staff must receive security awareness training. Staff with access to protected health information must receive HIPAA training. Annual HIPAA training is industry best practice.

Workforce Training And Handling Controls

All workforce members must receive HIPAA training. Annual HIPAA training is industry best practice. Training on HIPAA rules and regulations provides a foundation for workforce understanding before instruction on internal policies and procedures.

Training should address identification of protected health information across formats, permitted disclosures under the HIPAA Privacy Rule, safeguards under the HIPAA Security Rule, and internal reporting procedures for suspected incidents that may involve protected health information.