Help overcome risks by understanding what protected health information is and how (not) to use it.
Federal law limits how patients’ personal information may be used and disclosed. Here are the basics you should know to protect your practice when handling patients’ protected health information (PHI).
Know What’s Protected
The HIPAA Privacy Rule protects patients’ “individually identifiable health information,” which is broadly defined as any information (including demographic data) in any form (e.g., paper, electronic, oral or voice recorded, etc.) that relates to:
- An individual’s past, present, or future physical or mental health condition;
- The provision of healthcare to the individual; and
- The past, present, or future payment for the provision of healthcare to the individual.
Under the Privacy Rule, specific “identifiers” include:
- Patient names
- Geographical subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, etc.
- Dates, including dates of birth, dates of service, etc.
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/License numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) addresses
- Biometric identifiers, including fingerprints and voiceprints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Know What Isn’t Protected
Employment records — even if they contain information about an individual’s health — are not protected under the Privacy Rule. Neither are education records and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. Section 1232g. For example, an employment record that contains the results of mandatory drug testing does not qualify as PHI.
Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of PHI. Under this standard, health information is not protected if it does not identify an individual, and if the covered entity has no reasonable basis to believe it can be used to identify an individual.
Protect Patient Data
HIPAA rules apply specifically to “covered entities” and their “business associates.” Covered entities are defined as healthcare providers, health plans, and healthcare clearinghouses. Business associates are any third party a covered entity engages to help it carry out its healthcare activities and functions (for example, a third-party billing service). Health information that identifies an individual but is not held by a covered entity or business associate probably is not subject to HIPAA rules.
In practical terms, if you work in a healthcare setting or if you regularly handle PHI as part of your job, you and the organization you work for are required to protect patient data under the Privacy Rule.
Use PHI Appropriately
Covered entities and business associates are allowed to disclose PHI without a signed authorization for treatment, payment, or healthcare operations (TPO) purposes. Examples include:
- Doctors and/or hospitals may share information with one another for treatment purposes.
- Patients’ information may be released without their authorization to insurance companies to receive payment for services provided.
- Healthcare operations can include a variety of business activities including quality assessment, employee review, licensing, etc.
- There are also certain other, limited disclosures of PHI for non-TPO purposes, such as when the disclosure is required by state or other law, for judicial processes, or in instances of domestic violence or abuse. Patients, however, can always authorize the disclosure of their PHI using a valid authorization.
Covered entities and their business associates must make reasonable efforts to use, disclose, and request only the minimum PHI needed to accomplish the intended purpose of the use, disclosure, or request. A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. For example, a billing clerk does not require the entire medical record to bill on behalf of the patient. Procedures must be put in place to ensure the billing clerk requests, receives, and uses only the minimum PHI necessary to perform their job duties.
Incidental disclosures are uses and disclosures incident-to other uses or disclosures permitted or required by HIPAA. These incidental disclosures are permitted under the rule, but only if the covered entity has taken “reasonable safeguards” to protect PHI, and otherwise has implemented the requirements of the minimum necessary rule.
Know the Golden Rule of PHI
For the coder, biller, auditor, or other healthcare business professional, a great way to think about PHI is, “Don’t share anything about a patient’s personal information that you wouldn’t feel comfortable sharing about yourself.” Medical records contain sensitive information that, if used impermissibly and in violation of the law, can lead to embarrassment, identify theft, federal and state penalties, and more.
The patient information you receive or reveal should be on a need-to-know basis, only. Don’t gossip about patients or their medical issues, and do your best not to talk about an individual’s personal or health information within earshot of those who don’t need that information. Never discuss patient information for purposes not related to your job functions. Keep patient records out of view from anyone whose job doesn’t require specific access. Be especially careful of social media use: Never post pictures of patients (or even parts of them) or discuss patients’ PHI online. Any information you reveal (intentionally or otherwise) that can be used to identify a specific patient represents a potential violation of HIPAA.