Q. The Code of Federal Regulations (CRF), specifically 45 CFR 160.103, defines PHI and individually identifiable health information.
Is the information described in the following scenarios considered PHI?
A hospital sends a patient a letter that includes the patient’s name and address, patient number, admission date, account balance, and the hospital’s name. Alternatively, the hospital sends a letter that includes the patient’s name and date of birth, patient number, date of service, medical record number, and the hospital’s name. If one of these letters is sent to someone other than the patient, is this considered a breach of PHI that requires patient notification?
A. Pursuant to 45 CFR 160.103, PHI is considered individually identifiable health information. A strict interpretation and an “on-the-face-of-it” reading would classify the patient name alone as PHI if it is in any way associated with the hospital. CFR states that PHI includes demographic information received by a healthcare provider and relating to the provision of healthcare. If an individual’s name is associated with a hospital and the hospital provided healthcare, it is demographic information and is considered PHI.
The additional information confirms that the content of the letter is PHI even though the letter does not specifically mention the health condition of the patient. The regulation does not require a data set to include a certain number of identifiers to be considered PHI. It specifically states that if information identifies an individual, it is PHI.
The information included in the two example letters is clearly PHI. Sending the letter to the wrong individual would be considered a breach of unsecure PHI. After conducting a risk assessment to determine whether sending the letter to the wrong individual will cause harm to the affected patient, the hospital would be responsible for determining whether to notify patients. The hospital must document its actions regardless of whether the incident is a notifiable breach (45 CFR 164.400–164.414).
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.