Understand the facts on what is and what isn’t PHI. These days compliance is tied closely with a practice’s livelihood, and that’s why it’s critical that you know the HIPAA basics to sidestep a violation. A thorough knowledge of what exactly constitutes patients’ protected health information (PHI) is essential to understanding how to protect it and your practice. Definition: PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” reminds the HHS Office for Civil Rights (OCR) in its Privacy Rule guidance. For instance, to avoid a HIPAA Privacy Rule violation — especially concerning what should not be disclosed on social media sites — it’s a good idea to know what “individually identifiable health information” refers to. Here are 18 things that the HIPAA Privacy Rule identifies as PHI: Reminder: If one of these 18 identifiers is included in a chat, an email, a social media post, a text, or any other kind of communication, you are revealing “identifiable” information. However, remember, OCR does not restrict the use and disclosure of “de-identified” health information. Why: According to OCR guidance, “de-identified health information neither identifies nor provides a reasonable basis to identify an individual,” and it’s often passed two criteria. Firstly, its been verified by a “qualified statistician”; and secondly, all “specified identifiers” have been removed, including employer and family information, and a covered entity (CE) deems the material stripped of identifiable PHI, indicates OCR. Review the Privacy Rule summary and more in-depth details on the identifiers and de-identification at www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.