HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Nov
18

Definition of PHI

Email This Post Print This Post

We have a question on the definition of PHI. We have read § 160.103 definitions for PHI and individually identifiable health information as well as sections § 164.502(d) and § 164.514 on de-identification. Unfortunately we have different interpretations. If the following information is disclosed, would this be PHI?

  1. Patient name, address, patient number, admit date, account balance, and the name of the hospital
  2. Patient name, patient number, date of birth, date of service, medical record number, and name of hospital

These would appear in the form of a letter to patient. If they were received by someone other than the patient, would this be considered PHI since the person who received it would not be able to determine anything about the patient’s diagnosis or treatment received at hospital? Also, there is no way for the person to access the patient’s information since the patient number or medical record number would have to be looked up in the hospital’s information system.

LaWanda Gray

Categories : HIPAA Q&A

Comments

  1. Nancy Davis says:

    The information is PHI and if it were inadvertently disclosed to another, we would process it as an unauthorized disclosure and complete a risk assessment to determine harm to the patient and breach notification requirements.

  2. Sherri L. Brooks says:

    Review the definition of individually identifiable health information. Based upon the facts, you are including the name in the letter, so it is individually identifiable. The question is whether this other information is health information. Review the definition of health information. Also, remember, that one does not have to definitely be able to identify the individual, there is a lower standard at the end of the definition of “individually identifiable health information (i.e., reasonably….).

  3. Vivek Desai says:

    I hope this helps

    Protected Health Information

    PHI is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.

    Health Information

    Any information, whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, lifeinsurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

    Individually Indentifiable Health Information
    Information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

  4. Richard Dropski says:

    In some situations, the name of a hospital may indicate the patient’s diagnosis, such as mental health facilities and cancer treatment centers. As such, it would be health information.

  5. Karen Scott says:

    The information absolutely is PHI. It identifies the individual and relates to the provision of health care to an individual.

  6. April McDannell says:

    I would ditto what Nancy Davis has stated.
    To that I would add a comment to the statement that ” since the person who received it would not be able to determine anything about the patient’s diagnosis or treatment received at hospital”, some people do not want anyone to even know they were at or in a hospital for any reason. It doesnt matter that one cannot determine the “Why” they were being treated for, what matters is that it was disclosed.

  7. Tom Dumez says:

    Can I also add that there is an attempt by federal authorities (through a Notice of Proposed Rule Making) that is before Congress that will add all kinds of other non-medical information to the PHI category that really has nothing to do with health information? We are talking about drivers license numbers, phone numbers, etc. My opinion is this is being proposed just to collect revenue (from fines/penalties) that cannot necessarily be collected now. The more information that is deemed “PHI”, the more chance of a breach of it. Thus, fines can be assessed and collected.

    Tom

Leave a Reply