Privacy and Security: What Is Considered Protected Health Information Under HIPAA?
If your business operates within the U.S. healthcare industry as a HIPAA-covered organization, or you are considering doing business with clients subject to HIPAA, it is crucial to understand what constitutes protected health information and related requirements concerning permitted uses and disclosures of such information.
At Kendall PC, our experienced data protection and privacy lawyers can guide your company through the complexities of HIPAA law. Our knowledgeable legal team advises clients on every aspect of privacy and data security, offering tactical insights on a variety of compliance and transaction-based strategies. We can also help you navigate data breach or security incident investigations, responses, notifications, and remedial measures.
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the signature law that governs the use of, access to, and disclosure of protected health information (PHI) or electronic protected health information (ePHI) in the United States.
Colloquially, “HIPAA” refers to HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act and related rules and regulations. Collectively, they require HIPAA-covered organizations – Covered Entities (CEs) and their Business Associates (BAs) – to implement policies and procedures to protect the privacy and security of PHI and ePHI and administer HIPAA training for workforce members.
Such laws and related regulations further define strong enforcement provisions that allow the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) to impose administrative penalties and fines against violators. Certain violations under the Privacy Rule may also subject individuals and entities to criminal liability.
CEs include health plans, health care clearinghouses, and health care providers who conduct HIPAA-standard administrative and financial electronic transactions (including most providers, such as those who accept Medicare, Medicaid, or private insurance).
BAs are those entities and individuals who perform certain functions or activities on behalf of, or provide certain services to, a CE that involve accessing, creating, receiving, maintaining, or transmitting PHI. BAs also include subcontractors of the BA that create, receive, maintain, or transmit PHI on the BA’s behalf.
HIPAA requires CEs to enter into Business Associate Agreements (BAAs) with their respective BAs under which BAs must contractually agree to use PHI only for specified purposes, safeguard PHI from misuse, address data breaches and security incidents, help the applicable CE comply with applicable privacy and data protection laws, and hold the BA’s subcontractors to the same standards.
Elements of HIPPA Regulations
Inclusively, HIPAA regulations consist of the following elements:
The Privacy Rule addresses the use and disclosure of PHI by CEs and gives individuals certain rights regarding their PHI to understand and control how their information is used. One important aim of the Privacy Rule is to ensure that an individual’s PHI is properly protected while allowing the flow of health information necessary to provide and promote health care and to protect the public’s well-being.
The Security Rule requires CEs to implement reasonable and appropriate safeguards to protect ePHI. Under the Security Rule, CEs must protect patients’ ePHI by implementing appropriate technical, administrative, and physical safeguards to ensure the security, integrity, and confidentiality of this information. More specifically, CEs must ensure the confidentiality, integrity, and availability of all ePHI, detect and safeguard against anticipated threats to the security of ePHI, protect against anticipated impermissible uses or disclosures, and certify compliance by their workforce.
The Enforcement Rule relates to compliance and investigations and describes possible civil monetary penalties and hearing procedures.
The HITECH Act strengthened HIPAA’s Privacy and Security Rule requirements by expanding various privacy protections and extending certain HIPAA requirements directly to BAs.
Breach Notification Rule
Established under the HITECH Act, the Breach Notification Rule requires CEs to notify HHS and affected individuals when breaches of unsecured PHI occur. The Breach Notification Rule further requires BAs to notify affected CEs of breaches.
Final Omnibus Rule
The Final Omnibus Rule implements remaining HITECH privacy, security, and enforcement provisions.
What Is PHI?
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a CE or its BA, in any form or medium, whether electronic, on paper, or oral. Protected health information (PHI) is defined under HIPAA as individually identifiable information, including demographic information, that relates to:
- An individual’s past, present, or future physical or mental health or condition
- The provision of health care to an individual; or
- The past, present, or future, payment for an individual’s health care, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
The 18 HIPAA Identifiers for PHI
The Privacy Rule establishes policies meant to protect individually identifiable health information that is transmitted or held. There are 18 Identifiers that HIPAA considers personally identifiable information, which include:
- Addresses (all geographic identifiers smaller than a state, including street address, city, county, and zip code)
- Dates (except years) related to individuals (including admission date, discharge date, birth date, date of death, and exact age if over 89)
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- License or certificate numbers
- Vehicle serial numbers and identifiers, including license plate numbers
- Device serial numbers and identifiers
- Website URLs
- Internet Protocol (IP) Addresses
- Voice or fingerprints
- Photographic images (not limited to images of faces)
- Other characteristics that could identify individuals
The relationship with health information is fundamental to PHI and ePHI. Identifying information alone, such as personal names, residential addresses, or phone numbers, does not necessarily constitute PHI. The data protection and privacy lawyers at Kendall PC can help your company navigate these complex issues.
What Uses and Disclosures of PHI are Permissible?
Generally, the Privacy Rule limits permitted uses and disclosures of PHI, requires authorization for some uses, and provides individuals with rights and some choices regarding their PHI. A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s PHI may be used or disclosed by CEs.
A CE may not use or disclose PHI, except either:
- As the Privacy Rule permits or requires; or
- As the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
A CE must disclose PHI in only two specific situations:
- To the individual (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their PHI; and
- To the HHS when it is undertaking a compliance investigation or review or enforcement action.
CEs are permitted, but not required, to use PHI without an individual’s authorization, for the following purposes or situations:
- To the individual (unless required for access or accounting of disclosures)
- Treatment, Payment, and Healthcare Operations
- Opportunity to Agree or Object
- Incident to an otherwise permitted use and disclosure
- Public Interest and Benefit Activities
- Limited Data Set for the purposes of research, public health, or health care operations
Each of these exceptions is narrowly tailored and subject to specific, defined parameters and requirements under the Privacy Rule.
In recognition of the potential utility of health information even when it is not individually identifiable, the Privacy Rule also permits a CE or its BA to create information that is not individually identifiable by following de-identification standards and implementation specifications.
These methods allow a CE or its BA to use and disclose PHI that neither identifies nor provides a reasonable basis to identify an individual – HIPAA does not restrict the use or disclosure of such “de-identified” data.
The Privacy Rule provides two de-identification methods:
- A formal determination by a qualified expert; or
- The removal of specified individual identifiers as well as the absence of actual knowledge by the CE that the remaining information could be used alone or in combination with other information to identify the individual.
Learn About Our Data Protection and Privacy Solutions Today
For more information about how our data protection and privacy lawyers can help your business, contact Kendall PC today online or at (484) 414-4093. We serve small, midsized, and emerging businesses throughout the United States and across the globe.