MDS Alert

Clip and Save:

Develop Your Knowledge Surrounding PHI

Though not all of these elements are applicable to nursing facility residents, you may be surprised by which information is protected.

These days compliance is tied closely with any medical or healthcare business’s livelihood. Nursing facilities are no exception: It’s critical that you and your team members know the Health Information Portability and Accountability Act (HIPAA) Security Rule and Privacy Rule basics. Otherwise, you may face a HIPAA violation. Clip and save the following so you have a working knowledge of what constitutes a resident’s protected health information (PHI) and know how to protect that information and your facility.

Definition:  PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” reminds the HHS Office for Civil Rights (OCR) in its Privacy Rule guidance.

For instance, to avoid a HIPAA Privacy Rule violation — especially concerning what should not be disclosed on social media sites — it’s a good idea to know what “individually identifiable health information” refers to.

Here are 18 things that the HIPAA Privacy Rule identifies as PHI:

  1. Name
  2. Address
  3. Birthdate and other corresponding dates of admission, discharge, death, etc.
  4. Landline and cellphone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security Number
  8. Medical record number
  9. Health plan beneficiary number (i.e. Medicare Beneficiary Identifier)
  10. Account number
  11. State identification or license number
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. URLs
  15. IP addresses
  16. Biometric identifiers like finger or voice prints
  17. Photo or image of resident, specifically the face
  18. Any other unique code, characteristic, image, or number that identifies the individual

Reminder: If one of these 18 identifiers is included in a chat, an email, a social media post, a text, or any other kind of communication, you are revealing “identifiable” information. However, remember, OCR does not restrict the use and disclosure of “de-identified” health information.

Why: According to OCR guidance, “de-identified health information neither identifies nor provides a reasonable basis to identify an individual,” and it’s often passed two criteria. Firstly, it has been verified by a “qualified statistician”; and secondly, all “specified identifiers” have been removed, including family information, and a covered entity (CE) deems the material stripped of identifiable PHI, indicates OCR.

Review the Privacy Rule summary and more in-depth details on the identifiers and de-identification at www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.

Other Articles in this issue of

MDS Alert

View All