Oncology & Hematology Coding Alert

Reader Questions:

PHI Extends Beyond Patient’s Medical Record

Question: Is there more to protected health information (PHI) than just a patient’s medical record? Is this information actually protected by HIPAA?

Maine Subscriber

Answer: Yes, there is more to PHI than just what’s in a patient’s chart. PHI by definition is protected health information. If a record is completely de-identified in a such a manner that it cannot possibly be connected to an individual, then no, that would not be protected. Technically, it is no longer PHI.

So, PHI is demographic information as well as information about a patient’s health, and when health information can be linked to a specific individual via one of 18 different identifiers, it is regarded as protected. Those identifiers include such things as a person’s name, Social Security number, physical and electronic mail addresses, telephone numbers, license plate numbers, and account numbers.

Remember: If there are unlisted identifiers, PHI still needs to be protected. So, for example, if the information identifies a man who just returned to a small town from being overseas in the Marines, though that itself is not PHI, townspeople would easily be able to identify this person and thus, the information needs to be protected.

Resource: Find the full list of identifiers at www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf.