Medicare Compliance & Reimbursement

Compliance:

Know What Counts as PHI

Question: I want to be able to explain protected health information (PHI) to onboarding colleagues. While most people in the compliance space are familiar with PHI by this point, the types of information that constitute PHI are sometimes hard to remember. What’s a quick list I could include for new employees?

North Dakota Subscriber

Answer: In HIPAA Privacy Rule guidance, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) defines PHI as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.”

It can be easy to violate the HIPAA Privacy rule — anything from postcard mishaps to texts or phone calls made to the wrong person to social media catastrophes may be a violation. That’s why it’s so important that healthcare personnel understand exactly what constitutes individually identifiable health information.

Here’s a list of 18 identifiers that the HIPAA Privacy Rule considers PHI:

  1. Name
  2. Address
  3. Birthdate and other corresponding dates of admission, discharge, death, etc.
  4. Landline and cellphone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number (i.e. Medicare Beneficiary Identifier)
  10. Account number
  11. State identification or license number
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. URLs
  15. IP addresses
  16. Biometric identifiers like finger or voice prints
  17. Photo or image of patient, specifically the face
  18. Any other unique code, characteristic, image, or number that identifies the individual

Remember, OCR does not restrict the use and disclosure of “de-identified” health information, which it defines as health information that neither identifies nor provides a reasonable basis to identify an individual. There are more specifics you can find on the Privacy Rule, PHI, and deidentified health information on the OCR website.

Rachel Dorrell, MA, MS, CPC-A, CPPM, Development Editor, AAPC