This post originally appeared on The Schellman Advantage Blog.
The question of what is considered Protected Health Information (PHI) / Electronic Protected Health Information (ePHI) seems like it should be very simple to answer.
Unfortunately, it’s not always straightforward, and different situations can leave organizations struggling to fully understand if the information they have is or isn’t PHI/ePHI. But such knowledge is actually critical because recognizing what constitutes PHI/ePHI and where it resides is a crucial building block for creating a HIPAA compliance program.
The Basics of PHI
Let’s first start simply—with the definition of PHI taken directly from HIPAA. In 45 CFR 160.103, it states that “protected health information means individually identifiable health information.”
But then, what exactly is that referenced “individually identifiable health information?”
45 CFR 160.103 actually defines it as well—individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Portions of that extensive definition are highlighted on purpose, as they are key elements to understand. The first part describes that this information relates to the past, present, or future physical or mental health or condition of an individual. That defines the content of what is considered individually identifiable health information.
The second part relates to information that, when taken alone or in combination with other information, can identify an individual that the individually identifiable health information is about.
The key phrase is “reasonable basis to believe the information can be used to identify the individual.”
Depending on the context and the way information is being used, an e-mail address or mailing address may or may not be considered PHI.
For instance, if an organization is sending an e-mail or letter to all patients that have a certain medical condition, a person’s e-mail address or mailing address would be considered PHI, as it could be used in that context to reasonably identify a person in a way that is tied to a past, present, or future physical or mental health condition.
Alternatively, if a business associate receives data from a covered entity, such as e-mail addresses or mailing addresses, but does not also receive data tying that information to any past, present, or future physical or mental health condition of an individual, that data would not be considered PHI.
It would not be reasonable to believe that an e-mail address or mailing address, with no other connection to health information, could be used to identify an individual’s past, present, or future conditions.
Obviously, not every example is this straightforward, and in many cases, organizations should get their legal team involved to review the specific ways the organization is receiving and using information, thereby ensuring an understanding of what data would be considered PHI.
Now that PHI has been defined, ePHI is next, and this definition is definitely more straightforward.
45 CFR 160.103 defines ePHI as “information that comes within paragraphs (1)(i) or (1)(ii) of the definition of protected health information as specified in this section.” Within those indicated two paragraphs, it specifies information 1(i) “transmitted by electronic media” and 1(ii) “maintained in electronic media.”
In short, ePHI is PHI that is transmitted electronically or stored electronically.
Moreover, the privacy rule, 45 CFR 164.514 is worth mentioning. The full requirements are quite lengthy, but the main area that comes up is the list of the 18 identifiers noted in 45 CFR 164.514(b)(2) for data de-identification—a list that can be confusing regarding what is considered PHI.
Some review this list and interpret that those 18 identifiers are always considered PHI.
But, as was noted above, this is not the case, and again, the context around how the 18 identifiers are used should be the focus, including if there is a “reasonable basis to believe the information can be used to identify the individual.”
This list of 18, at face value, merely states is that these identifiers could be used to identify someone, and if fully removed, items (i) and (ii) in the definition of individually identifiable health information would not be met, and therefore, the information would be considered de-identified.
In fact, there are actually two methods to achieve de-identification in accordance with the HIPAA privacy rule.
One being the “Expert Determination” method, which is defined in 164.514(b)(1), and the other is the “Safe Harbor” method defined in 164.514(b)(2). For more information on de-identification, the OCR has put out guidance on this topic which can be found here.
When considering if data is PHI or ePHI, the important questions to ask regard what context surrounds the information being used, how the information is stored, and whether or not multiple identifiers could be put together to tie to a health record of an individual.
When considering if data is PHI or ePHI, the important questions to ask regarding what context surrounds the information being used, how the information is stored, and whether or not multiple identifiers could be put together to tie to a health record of an individual.
Identifying PHI and ePHI is essentially a game of connecting the dots, trying to link identifiers to an individual’s past, present, or future physical or mental health or condition. Having those answers and a clear understanding of what is considered PHI/ePHI is very important, as it’s the first step in recognizing the HIPAA scope of an organization.
Without accurate knowledge of what data is considered PHI or ePHI, organizations face a high likelihood of not properly covering all relevant data and systems as part of their risk analysis and risk management program.
That program is the building block of HIPAA compliance, therefore it’s important to take the time to understand what is PHI/ePHI based on the context of how information is used and stored in their organization.
About the author: Doug Kanney is a Principal at Schellman & Company, Inc. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across for the SOC, PCI-DSS, and ISO service lines.