Health Information Compliance Alert

Reader Questions:

PHI Is More Than Just Health Data

Question: Is there more to protected health information (PHI) than just a patient’s medical record and is the information actually protected by HIPAA?

Illinois Subscriber

Answer: Yes, there is more to PHI than just what’s in a patient’s chart. “PHI by definition is protected health information,” notes Barbara Hays, CPC, CPCO, CPMA, CRC, CPC-I, CEMC, CFPC, medical review supervisor, special investigations, GEHA in Lee’s Summit, Missouri. “If a record is completely de-identified in a such a manner that it cannot possibly be connected to an individual, then no, that would not be protected. Technically, it is no longer PHI,” Hays further explains.

So, PHI is demographic information as well as information about a patient’s health, and when health information can be linked to a specific individual via one of 18 different identifiers, it is regarded as protected. Those identifiers include such things as a person’s name, Social Security number, physical and electronic mail addresses, telephone numbers, license plate numbers, and account numbers

Remember: “If there are unlisted identifiers, PHI still needs to be protected. So, for example, if the information identifies a man who just returned to a small town from being overseas in the Marines, though that itself is not PHI, townspeople would easily be able to identify this person and thus, the information needs to be protected,” notes Suzan Hauptman, MPM, CPC, CEMC, CEDC, director, compliance audit, Cancer Treatment Centers of America.

Resource: Find the full list of identifiers at www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf.