Question: We are having a debate in our practice over what actually constitutes protected health information (PHI) — and what de-identification means. One person even suggested that a URL for a website is considered PHI under HIPAA. Is that true? Missouri Subscriber Answer: Remember, that PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” reminds the HHS Office for Civil Rights (OCR) in its HIPAA Privacy Rule guidance. Next, let’s address the de-identification of PHI. When data can no longer be used to identify an individual, it’s considered de-identified, OCR maintains. “De-identified health information neither identifies nor provides a reasonable basis to identify an individual,” and it’s often passed two major HIPAA hurdles, OCR says. In fact, Section 164.514 (b) of the HIPAA Privacy Rule offers two de-identification methods: expert determination and safe harbor. Under the expert determination method, a “qualified statistician” verifies the data using statistical or scientific knowledge, ensuring all “specified identifiers” have been removed, including employer and family information. The covered entity (CE) then determines the material stripped of identifiable PHI. There are 18 items that the HIPAA Privacy Rule pinpoints as PHI identifiers, and the safe harbor method simply removes that data so that “no actual residual information can identify the individual,” the provision states.
Here’s the list of 18 PHI identifiers to look for: So yes, your co-worker is correct — a URL for a webpage is considered PHI. Reminder: If one of these 18 identifiers is included in a chat, email, social media post, text or direct message, or any other kind of communication, you are revealing “identifiable” information. Resource: Review more details on this HIPAA provision and ideas on how best to safeguard PHI without losing data necessary for treatment at www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html.