The Privacy Rule within the Health Insurance Portability and Accountability Act (HIPAA) provides provisions for how health care practitioners and practices use, store, and release protected health information (PHI). However, PHI does not necessarily mean the information can never be released, nor does it imply all information within a patient’s chart is defined as protected health information when separated. Yet, not understanding the differences between the “what if” scenarios could lead to a penalty for the inappropriate disclosure or use of PHI. To ensure your practice stays within compliance of the Privacy Rule, you need to know a few things about PHI.
Defining Protected Health Information
Protected health information is defined as any individually identifiable health information that may be transmitted or maintained in any possible form, including electronic patient forms and consent forms for patients, asserts the US Department of Health and Human Services: National Institutes of Health. The key to understanding PHI rests in the “individually identifiable” phrasing. If the information carries no weight alone and cannot be used to reasonably identify or relate a person to the remaining information, the information is not considered PHI. As a result, some practices may be confused as to if releasing one characteristic of the information, such as age, would be considered a violation of the Privacy Rule.
PHI Versus Publicly Available Information
A typical phonebook, unlike an electronic patient form, contains the names, addresses, and telephone numbers of people. Although this information is considered publicly available, anyone could obtain this information, a practice may not release this information as the resulting release would indicate a person’s association with the practice, up to and including treatment for practice-specific specialties (e.g. Dr. Smith's Orthopedic Center).
Use of PHI For Public or Government Reporting Purposes
Certain medical conditions may require the reporting of PHI to a responsible entity, such as the Centers for Disease Control in the event of an STI or STD diagnosis. In other cases, the reporting of information is needed to track trends and identify how medical funding is dispersed. The reason these releases do not constitute a violation of the Privacy Rule relies on the de-identification of PHI through expert determination or removal of all personally identifying information from the record, such as individual consent forms for patients. For example, a practice may report 16 patients above age 90 were seen in September of 2015 after a fall and released from care without any inpatient hospitalization. However, the practice cannot release the names and other identifiable information about the patients.
Understanding PHI can be confusing, especially when considering the scenarios where the release of the information does not equate to a violation of the Privacy Rule. For more ways to help your practice stay aligned with the expectations and requirements of the Privacy Rule and its applications to an electronic health record, contact Practice Sense today. We look forward to helping you track, monitor, and maintain your patients’ electronic information according to HIPAA standards.