Protected Health Information

As many of Invo’s clients are in the healthcare space, it is important to be aware of restrictions related to handling Protected Health Information (PHI).

What is PHI?

US law has restrictions about how Protected Health Information in general, and more specifically how Individually identifiable health information, can be transmitted.

Health Information

First we must consider the definition of Health Information.

“Health information means any information, whether oral or recorded in any form or medium, that–

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

From the Health Insurance Portability and Accountability Act of 1996: Administrative Simplification, accessed via the HIPAA website (emphasis added by Invo)

Note that this is a very broad definition of what consitutes health information. Just about anything which can be related to health is considered Health Information.

Individually identifiable health information

HIPAA Also defined Individually identifiable health information. In particular, HIPAA states that this is health information which also meets the following criteria.

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

From the Health Insurance Portability and Accountability Act of 1996: Administrative Simplification, accessed via the HIPAA website (emphasis added by Invo)

The key point here is that the information does not have to specifically name the person to be individually identifiable. For instance, a piece of health data with an address (but no name) is still considered to be individually identifiable and therefore Protected Health Information.

Working with PHI

PHI may not be transmitted unsecured over the internet or stored on unsecured devices. Involution has the following specific policies that you must follow when working with PHI:

Personal Health Information CANNOT be uploaded, sent or transmitted to any person or service. So the following cloud based services CANNOT be used with personal health information…

Generally, a client which works with PHI will have specific policies and training on these policies. This might include tools which can be used to transmit PHI (such as secure e-mail)

Review this developers guide to HIPAA compliance and application development for more information.

Checklist for Starting a Project involving PHI

De-identifying PHI

It is possible to de-identify PHI so that it may be transmitted and stored. HIPAA provides guidelines about what must be changed for PHI to be considered de-identified.

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Censue:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date,, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and

From the Health Insurance Portability and Accountability Act of 1996: Administrative Simplification, accessed via the HIPAA website (emphasis added by Invo)

Note that the above fields apply to the individual described in the data as well as relatives, employers and household members.

From the above list, it should be clear that it is not sufficient to just remove the name from PHI to make it de-identified.

HIPAA also specifies restrictions around any re-identification code (i.e. an ID that can be later used to re-apply the personal information associated with the PHI).

More Resources