As health care professionals, the importance of maintaining HIPAA gets drilled into our minds as soon as possible and stays as a common, looming reminder throughout our careers. We learn to log off our computers when we walk away, keep charts out of reach of the public, and refrain from talking about patients outside of work-related responsibilities.
But if it came down to it, how many of us would be able to pick out what counts as protected health information (PHI) and what doesn’t in a lineup?
In order to best prevent a HIPAA breach, we have to clearly know what makes something PHI. Here’s how you can tell what the law considers to be PHI.
What Counts as PHI?
As a reminder, HIPAA is the federal law that standardized how individuals and organizations in the health care industry protect, share, and store sensitive patient health information.
Every health care provider, health plan, health care clearinghouse, and their business associates must follow HIPAA. If anyone employed by these covered entities or the entities themselves incorrectly stores or shares PHI, then that’s considered a breach of HIPAA.
PHI refers to any piece of health information that can identify an individual patient. The information can refer to any part of a patient’s health history, whether it’s something that happened in the past, a current diagnosis, or a future potential issue.
The most important part of identifying whether patient health information is considered to be PHI or not is if someone can use that information to identify a specific patient. If the information doesn’t have any identifiable information, then it’s no longer considered protected.
The 18 Identifiers
There are 18 identifiers that, when seen alongside patient health information, can be used to identify a specific patient. If you’re handling PHI that has any one or more of these identifiers, then you’ll know it’s protected by HIPAA, and improper use of it can lead to hefty penalties for both you and your facility.
The 18 identifiers are the following:
- Names, including initials
- This includes any geographical information that’s smaller than a state, such as a street address, city, county, precinct, or zip code
- The first three digits of a zip code can be used, but only if:
- More than 20,000 people live in the geographic area that would be formed by combining all the zip codes that use those same first three digits
- The first three digits of the zip code are replaced with 000 if fewer than 20,000 people live in the geographic area formed by combining all the zip codes that use the same first three digits
- Any part of a date, except the year, that’s related to the individual, whether that’s a birth date, admission or discharge date, or death date
- If the patient is over the age of 89, then the exact age and the patient’s year of birth is also included as PHI
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plates
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers, like fingerprints, voiceprints, or voice recordings
- Photographic images
- Any other unique number, characteristic, or code that could be used to identify a specific patient.
The HIPAA Privacy Rule protects and governs the use of a patient’s health information for 50 years after their death.
What Doesn’t Count as PHI?
So when would patient health information not be considered PHI? As mentioned above, it’s all about whether or not it can be used to identify a patient.
There are multiple ways to de-identify PHI. Whatever method a covered entity uses to do so has to be a method where no one can re-identify the PHI later. For example, if the 18 identifiers are stripped from patient information, and each patient’s information is assigned a code for identification, someone should not be able to figure out how that code was assigned.
Once the PHI has been stripped of anything that would identify a patient, HIPAA no longer governs how it’s used. Facilities, researchers, government agencies, and educators routinely use de-identified PHI in order to teach, research, and track community health issues.
If you aren’t sure if a piece of information counts as PHI, then treat it like it’s PHI until you find out for sure. Accidental HIPAA breaches can easily happen because someone didn’t realize that what they were holding or saying included private health information.