Chapter 8: The What: Protected
Health Information.
[A continuation of my 20th anniversary of blogging/20th anniversary of HIPAA enforceability global recap]
Now that we’ve discussed the who,
let’s turn to the “what:” only certain people are subject to HIPAA, and are
only restricted with regard to certain types of information. HIPAA defines that as “protected health information,”
which we usually shorthand to PHI.
Obviously, health industry
participants have access to all kinds of data, but not all data is
sensitive. As with most privacy rules
(whether the US sectoral laws, the GDPR, the FDA’s “common rule” for research,
etc.), it’s only the data involving specific individuals that warrants
protection, so it’s only PHI that the HIPAA rules cover.
The definition of PHI is still
broad, though, and generally consists of 2 major components: information
relating to a single person’s health, where the identity of the individual is
discernable. The “health information”
component is exceedingly broad: it can relate to health history, conditions,
treatment, or payment; it can relate to the past, the present, or the future;
and it can relate to physical or mental health.
If you can imagine any way that it involves health, it meets the first
prong of the definition.
The second prong is
identifiability. Certainly, name, social
security number, driver’s license number, credit card number, or some other
specific identifier counts. However, if
it’s reasonable that someone with a sufficient amount of knowledge could determine
the identity of the person who is the subject of the information, then it meets
the identifiability prong. This is not a
clearly circumscribed definition – the edges are pretty fuzzy, since it’s hard
to tell what information would be sufficient to allow someone else to identify
the individual. Thus, as with the question
about whether it relates to health, it’s wise to err on the side of considering
the information identifiable.
There are some sets of
identifiable health information that are specifically excluded from the definition
of PHI, largely for practical reasons.
Information in education records (school immunization records, for
example), employment records (pre-employment physicals, on the job accident
reports, Family Medical Leave Act documents, drug test results, return-to-work
doctor letters, etc.), and records of an individual who has been dead for 50
years (an exception designed to help researchers) are all specifically excluded
from the definition. Of course, as you
can surmise, even if you are dead, your records are still PHI for 50 more
years.
The definition of PHI is not
limited to current medical records, or “official” medical records. While in certain instances (e.g., where an individual
has a right to access or amend the information) HIPAA only addresses information
in a “designated record set,” the general rules relating to HIPAA’s restrictions
on uses and disclosures apply to any PHI that a covered entity has. This can lead to some unexpected
circumstances. Here’s an entirely
apocryphal story I tell my students when we discuss HIPAA:
A Dallas doctor with a thriving medical practice invites his
friend, a Kansas City lawyer, to a Cowboys game. The visiting team is the Chiefs, and the lawyer
is a huge Patrick Mahomes fan. The night
before the game, the doctor is watching the local news, and hears that Mahomes
cut his throwing hand badly while preparing guacamole, and will not be able to
play. Sunday afternoon, while in their
seats at the JerryWorld stadium, the Chiefs’ offense takes the field with, much
to the chagrin of the lawyer, the backup quarterback. The lawyer turns to the doctor and says, “What! Where’s Mahomes?” The doctor turns to him and says, “I saw on
the news last night that he got sideways with an avocado, severely cut his
hand, and is unable to play.” In that
instance, the HIPAA Police descend from the rafters of AT&T Stadium, arrest
the doctor, and haul him off to HIPAA jail.
Apocryphal, as I said. However, that is technically a HIPAA
violation: the doctor is a covered entity (assuming that a thriving surgical
practice accepts insurance payments electronically), and the information is PHI
(it’s about health and identifies Mahomes).
Mahomes is not the doctor’s patient, but that doesn’t matter. The information was already in the public
knowledge, having been disclosed by the NFL and the local sports anchor, but
that doesn’t matter. The information was
not part of a medical record maintained by the doctor, but that doesn’t
matter. It’s still PHI, and that’s all
that matters.
There are also certain
categories of PHI that, while still PHI, are subject to particular rules. Psychotherapy notes are PHI but are not
subject to the patient’s rights to access (discussed below), and have stricter
limits on disclosure. Keep in mind that “psychotherapy
notes” have a peculiar definition: the mere fact that the information relates
to a patient’s psychiatric or psychologic state does not make it a
psychotherapy note. Rather, psychotherapy
notes are PHI kept separate from the main medical record, are recordings of a conversation
involving the patient, are kept by the analyst, and do not contain information
such as therapy start/stop times, prescription information, etc. Generally, psychotherapy notes are supposed
to be notes that the analyst keeps for him/herself regarding the patient; in
other words, notes that are only intended for the analyst’s own review, and
never intended to be disclosed to the patient. So, before you decide that you
can block a patient from accessing his/her PHI because it’s psychotherapeutic,
check the definition of “psychotherapy notes.”
Likewise, PHI that relates to
research, specifically research under the FDA’s “common rule” or which is subject
to an Institutional Review Board’s oversight, is subject to specific rules that
allow for broader disclosure and use.
The rationale for this is that the IRB will provide the protection,
while greater use is necessary for legitimate purposes.
This will be discussed more
below, but encrypted PHI is still PHI.
It is still subject to the same rules, even though it’s encrypted (the
benefits of encryption really relate to breaches and other Security Rule
requirements). And also discussed below,
“electronic PHI” is a component of PHI, which matters for Security Rule
compliance.
If it’s a fragment of
information that came from PHI, it continues to be PHI, if it still meets the 2
prongs. In other words, something as
simple as name and address, in correlation with the name of a healthcare
provider, is PHI. A HIPAA covered entity
can’t use the mailing addresses of its patients for a non-permitted purpose
(for example, to send out advertisements for entirely unrelated businesses),
even if uses no other information that what is generally publicly available in
the phone book or voter rolls; the fact that it came from PHI means it remains
PHI, unless it is specifically “de-identified” (thus losing the 2nd
prong of the definition of PHI).
HIPAA allows covered entities
to “de-identify” PHI by stripping away identifiability. Keep in mind that health information must be “identifiable”
to be PHI, and the definition of “identifiable” is somewhat malleable;
likewise, it might be hard to tell if the PHI has truly been
de-identified. For that reason, HIPAA
provides 2 “safe harbors” for de-identification: one allows a covered entity to
employ a de-identification expert to certify that “the risk is very small that
the information could be used, alone or in combination with other reasonably
available information, by an anticipated recipient to identify an individual
who is a subject of the information.”
Hiring experts can be costly, so the second safe harbor allows the
covered entity to simply remove 18 specific identifiers, such as names,
addresses more specific than the 1st 3 digits of a zip code, dates
other than years, identifying numbers, etc., with the resulting data being, by
definition, not PHI.
As you can see, the definition
of “identifiability” is amorphous, but the definition of de-identification is
specific. This raises a conundrum: many
people use the definition of “de-identified” to form an analog definition of “identified:”
if it contains any of the 18 identifiers, it’s PHI, but if it doesn’t, it isn’t. That’s not exactly right – while you could
take the information and remove the 18 elements and thus meet the safe harbor,
the original information that didn’t contain any of the 18 elements might still
be PHI. Like the HIPAA police at Cowboys’
Stadium, this is a theoretical issue that will likely never be solved (or even
argued over), so I’ll leave it there.