What is PHI?
Several years ago the tobacco giant Phillip Morris sponsored a ballot initiative called “Californians for Statewide Smoking Restriction”. Odd that a tobacco company would be interested in restricting smoking, wouldn’t you agree? In reality, the proposed law would do nothing to restrict smoking, but rather would actually weaken smoking ordinances. This type of Orwellian doublespeak is common with special interest groups and in politics in general. Anyone who has ever read a California ballot with its myriad of propositions can attest to the incredibly confusing and, dare I say, deceptive, initiative labels and descriptions. They challenge the best legal minds to divine their true meaning and impact. In many ways, Protected Health Information falls into the same confusing category.
We’re often asked by our clients to define exactly what PHI is. The technical definition is defined in the HIPAA Privacy Rule, 45 C.F.R. § 160.103, and is summarized by Health and Human Services (HHS) as follows:
“Individually identifiable health information” is information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
When asked “what is PHI”, the common answer is its individually identifiable information that includes health information. However, the Orwellian twist is that protected health information doesn’t have to include health information at all. The confusion is not surprising, aside from the name itself, the majority of reported breaches include health information as part of the breach. But the statute in question specifically states that demographic data is part of what’s considered individually identifiable information. The fact that demographic information doesn’t include health specific details does not mean the information does not fall under the designation of PHI.
We encourage our clients to consider the contact information of their patients to be as sacred as their health information, and only those with a need to know should have access to it. Covered entities and business associates must also recognize the financial information of a patient, while not health related, is not only protected by HIPAA laws but also falls under the jurisdiction of the Federal Trade Commission (FTC). In fact, the FTC recently made their presence known in a case against a healthcare laboratory (see There’s Another Sheriff in Town). Last but not least, the credit card industry itself has its own policies and enforcement with the Payment Card Industry Data Security Standard (PCI DSS).
Rather than getting consumed by the details, we recommend following a basic principle – if it’s patient information, and it’s in your possession, protect it – period. If you have a breach or suspect a breach occurred, get guidance from your HIPAA vendor or your HIPAA experienced attorney. If you don’t have either of those and you’re among the brave that are going it alone, then you need to educate yourself and stay vigilant.