Medicare Compliance & Reimbursement

Reader Questions:

Recognize the 2 Standards for De-Identifying PHI

Published on Wed Oct 04, 2023

Question: We are having a debate in our practice over what actually constitutes protected health information (PHI) — and what de-identification means. One person even suggested that a URL for a website is considered PHI under HIPAA. Is that true?

Missouri Subscriber

Answer: Remember, that PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” reminds the HHS Office for Civil Rights (OCR) in its HIPAA Privacy Rule guidance.

Next, let’s address the de-identification of PHI. When data can no longer be used to identify an individual, it’s considered de-identified, OCR maintains. “De-identified health information neither identifies nor provides a reasonable basis to identify an individual,” and it’s often passed two major HIPAA hurdles, OCR says. In fact, Section 164.514 (b) of the HIPAA Privacy Rule offers two de-identification methods: expert determination and safe harbor.

Under the expert determination method, a “qualified statistician” verifies the data using statistical or scientific knowledge, ensuring all “specified identifiers” have been removed, including employer and family information. The covered entity (CE) then determines the material stripped of identifiable PHI.

There are 18 items that the HIPAA Privacy Rule pinpoints as PHI identifiers, and the safe harbor method simply removes that data so that “no actual residual information can identify the individual,” the provision states.

Here’s the list of 18 PHI identifiers to look for:

Name
Address
Birthdate and other corresponding dates of admission, discharge, death, etc.
Landline and cellphone numbers
Fax numbers
Email addresses
Social Security Number
Medical record number
Health plan beneficiary number (i.e. Medicare Beneficiary Identifier)
Account number
State identification or license number
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
URLs
IP addresses
Biometric identifiers like finger or voice prints
Photo or image of patient, specifically the face
Any other unique code, characteristic, image, or number that identifies the individual

So yes, your co-worker is correct — a URL for a webpage is considered PHI.

Reminder: If one of these 18 identifiers is included in a chat, email, social media post, text or direct message, or any other kind of communication, you are revealing “identifiable” information.

Resource: Review more details on this HIPAA provision and ideas on how best to safeguard PHI without losing data necessary for treatment at www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html.

Medicare Compliance & Reimbursement

Quality Payment Program:
Figure Out PY 2023 MVP Registration and Reporting Pronto
Tip: Keep tabs on your MVP status through the registration end date. The clock is [...]

MIPS Value Pathways 2023:
Review These Handy Charts for MVP Insight
Understand the basics on choosing the right MVP for your practice. Though your final approval [...]

Part B Coding Coach:
Improve Stroke Coding Accuracy With These Tips
Focus on choosing the correct ICD-10-CM code for each patient. Providers utilize myriad diagnosis and [...]

Reader Questions:
Reach Out to MACs for Claims-Based NCCI Quandaries
Question: Which agency is most appropriate to contact if I have questions about an appeal [...]

Reader Questions:
Recognize the 2 Standards for De-Identifying PHI
Question: We are having a debate in our practice over what actually constitutes protected health [...]

Industry Notes:
OIG Doubles Down on Dx Miscoding Mishaps in Part C
Expect greater scrutiny as feds look at chart review results. Evidenced by numerous reports, Work [...]

View All