Medicare Compliance & Reimbursement
Know What Counts as PHI
Question: I want to be able to explain protected health information (PHI) to onboarding colleagues. While most people in the compliance space are familiar with PHI by this point, the types of information that constitute PHI are sometimes hard to remember. What’s a quick list I could include for new employees? North Dakota Subscriber Answer: In HIPAA Privacy Rule guidance, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) defines PHI as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” It can be easy to violate the HIPAA Privacy rule — anything from postcard mishaps to texts or phone calls made to the wrong person to social media catastrophes may be a violation. That’s why it’s so important that healthcare personnel understand exactly what constitutes individually identifiable health information. Here’s a list of 18 identifiers that the HIPAA Privacy Rule considers PHI: Remember, OCR does not restrict the use and disclosure of “de-identified” health information, which it defines as health information that neither identifies nor provides a reasonable basis to identify an individual. There are more specifics you can find on the Privacy Rule, PHI, and deidentified health information on the OCR website. Rachel Dorrell, MA, MS, CPC-A, CPPM, Development Editor, AAPC
Medicare Compliance & Reimbursement
