Hint: De-identifying records may allow you to scrub PHI from them. From patient names to medical record numbers, you may be quite familiar with how to protect these types of protected health information (PHI). However, there are over a dozen types of PHI, and the rules surrounding how to keep them all safe can be confusing. Your ability to protect patients’ PHI is integral to avoiding a HIPAA breach, so it’s important to familiarize yourself with three key truths about PHI and three myths. Truth 1: PHI Goes Far Beyond the Medical Record There’s more to PHI than just what’s in a patient’s chart. Any personal information that can identify the patient and is associated with the medical record is also protected — even URLs and license plate numbers. In fact, federal guidance lists the following 18 categories of “personal identifiers” that you must protect: 1. Name Essentially, anything that can identify the patient to other people is considered PHI. For instance, if a patient’s name is John Smith but everyone in town calls him Smitty, then the name “Smitty” would count as part of the patient’s PHI.
Truth 2: De-Identifying Medical Records Removes PHI Even though almost everything related to a patient’s identity is considered PHI, there are ways to remove that data from a record, so it no longer qualifies as protected health information. In fact, if a record is completely de-identified in such a manner that it cannot possibly be connected to an individual, then it would no longer be protected under HIPAA. Technically, at that point, it is no longer PHI. If you aren’t sure whether a patient’s PHI has been appropriately scrubbed enough to remove it from a record, then it’s important to consult a healthcare attorney to confirm that you’ve taken care of it. Truth 3: Healthcare Providers Can Share PHI for Treatment Purposes Your ophthalmologist can share protected health information about a patient with another provider in relation to that patient’s care. In addition, you do not need to have a business associate agreement (BAA) in place before you share PHI for the purpose of treating a patient. Under the HIPAA Privacy Rule, clinical care information can be readily exchanged between providers. This means your ophthalmologist can talk to another provider about a patient’s lab results or co-morbidities for the purposes of a patient’s care without worrying they have breached HIPAA. Remember, however, that when your ophthalmologist shares that PHI with the patient’s other providers, they must do so in a HIPAA-compliant way, such as through encrypted email. Myth 1: Your Practice Owns the PHI, So Patients Can’t See It Many healthcare providers believe the patient’s PHI belongs solely to the practice, and that even the patient isn’t allowed to see it, but that’s a myth. You must allow individuals to request access to their personal records — this is a requirement under the HIPAA law. In addition, patients aren’t required to fill out an Authorization for Release of Records when requesting their own healthcare information. If you deny or withhold a patient’s records, you could face steep fines and penalties under the HIPAA Right of Access provision. Caveat: There are a few exceptions to patient access rights under HIPAA. These include exceptions for psychotherapy notes, as well as health information for civil, criminal, or administrative proceedings. Myth 2: HIPAA Prohibits PHI Disclosures, Even When Danger Is on the Line In situations when the health or safety of others is in danger, your practice is permitted to disclose PHI to people reasonably able to prevent or lessen the threat, including law enforcement authorities. According to the HHS Office for Civil Rights (OCR), HIPAA allows disclosures of health information to help with public health and safety issues to: Myth 3: State Laws Don’t Trump PHI Disclosure Rules Although some practices believe they can’t disclose PHI even in instances when state law requires them to do so, that’s a myth. In fact, the HIPAA Privacy Rule actually contains an exception specifically involving disclosures required by state law. Common state law disclosure obligations include reporting cases of child abuse, reporting cases of vulnerable adult abuse, and reporting to law enforcement if an individual has certain types of wounds like a bullet wound. HIPAA’s “required by state law” disclosure exception makes reviewing and understanding your state’s mandatory reporting laws absolutely essential. Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake your practice should avoid making. Torrey Kim, Contributing Writer, Raleigh, N.C.
2. Address
3. Birthdate and other corresponding dates of admission, discharge, death, etc.
4. Landline and cellphone numbers
5. Fax numbers
6. Email addresses
7. Social Security Number
8. Medical record number
9. Health plan beneficiary number (i.e., Medicare Beneficiary Identifier)
10. Account number
11. State identification or license number
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. URLs
15. IP addresses
16. Biometric identifiers like finger or voice prints
17. Photo or image of the patient, specifically the face
18. Any other unique code, characteristic, image, or number that identifies the individual