We have a question on the definition of PHI. We have read § 160.103 definitions for PHI and individually identifiable health information as well as sections § 164.502(d) and § 164.514 on de-identification. Unfortunately we have different interpretations. If the following information is disclosed, would this be PHI?
- Patient name, address, patient number, admit date, account balance, and the name of the hospital
- Patient name, patient number, date of birth, date of service, medical record number, and name of hospital
These would appear in the form of a letter to patient. If they were received by someone other than the patient, would this be considered PHI since the person who received it would not be able to determine anything about the patient’s diagnosis or treatment received at hospital? Also, there is no way for the person to access the patient’s information since the patient number or medical record number would have to be looked up in the hospital’s information system.