New HIPAA Regulations in 2023-2024 – HIPAA Journal
New HIPAA Regulations in 2023-2024 HIPAA Journal
What is PHI in HIPAA? – HIPAA Journal
What is PHI in HIPAA? HIPAA Journal
What is PHI in HIPAA?
PHI in HIPAA is an acronym for Protected Health Information – health information that is created, collected, maintained, or transmitted by a covered entity that relates to an individual’s past, present, or future physical or mental condition, treatment for the condition, or payment for the treatment, and that is protected by HIPAA from impermissible uses and disclosures.
In addition to individuals’ health information being protected from impermissible uses and disclosures, HIPAA also applies to individually identifiable non-health information stored in the same designated record set as PHI that could identify the subject of the PHI or be used with other information stored in the same designated record set to identify the subject of the PHI.
The application of HIPAA protections to non-health information can create misunderstandings about what information should be protected and when it should be protected (evidenced by multiple sources mistaking the “18 HIPAA identifiers” as PHI). This article aims to resolve potential misunderstandings about what is PHI in HIPAA by answering three simple questions:
- What are Designated Record Sets in HIPAA?
- What are the 18 HIPAA Identifiers?
- When is Identifying Information Not PHI in HIPAA?
What are Designated Record Sets in HIPAA?
Designated record sets are records maintained by or for a covered entity that are used in whole or part to make decisions about an individual. For example, an individual’s medical history maintained by a healthcare provider would be a designated record set, and an individual’s enrollment, payment, and claims history maintained by a health plan would be a designated record set.
A designated record set can consist of a single item of PHI or any collection of records in which one or more items qualify as PHI. For example, a photo of a child displayed on a pediatrician’s baby wall is a designated record set (because it implies a previous treatment relationship), as are details of an individual’s emotional support animal if the details include the condition of the individual.
Because a designated record set can consist of a single item of PHI, an individual can have multiple designated record sets maintained by the same organization. Any information maintained in a designated record set is considered PHI in HIPAA, even if the designated record set consists of only one piece of information relating to an individual’s condition, treatment, or payment.
What are the 18 HIPAA Identifiers?
The reason it is important to understand what designated record sets are is to dispel any misunderstandings about the 18 HIPAA identifiers. One of the reasons for potential misunderstandings about what is PHI in HIPAA is that some sources have interpreted the 18 HIPAA identifiers in §164.514 of the Privacy Rule as being PHI. They are not.
The 18 HIPAA identifiers are eighteen identifying pieces of information that have to be removed from a designated record set before the record set can be considered de-identified under the “safe harbor” method of deidentification. While any of the 18 HIPAA identifiers would assume the same protections as health information when maintained in the same designated record set as health information, they are not protected by HIPAA outside a designated record set.
In addition to not being protected by HIPAA when maintained outside a designated record set, the list of identifiers is almost a quarter of a century out of date. There are now many more pieces of information that could be used to identify an individual – and would need to be removed from a designated record set before any health information left in the set is deidentified – including unique occupations, social media aliases, and details about emotional support animals.
When is Identifying Information not PHI in HIPAA?
As explained above, identifying information is not PHI in HIPAA when it is not maintained in a designated record set that contains health information. To help better explain this, we will use the example of Mrs. Doe – who has undergone medical treatment at a hospital where she also volunteers to support nursing staff during meal delivery times.
Mrs. Doe`s medical history will be in one or more designated record sets – which also include identifying information such as her name and telephone number. While maintained in these designated records sets, Mrs. Doe’s name and telephone number are PHI and have to be protected from impermissible uses and disclosures.
However, Mrs. Doe’s name and telephone number are also included in a separate hospital database maintained by the volunteer administrator. As this database does not contain PHI, it is not a designated record set. The identifying information maintained in the database is not PHI and is not protected by HIPAA – even though the database is maintained by a hospital that maintains one or more other databases/designated records sets in which the same information is protected.
Why it is Important to Understand What is PHI in HIPAA
It is important to understand what is PHI in HIPAA so PHI can be protected against impermissible uses and disclosures in compliance with HIPAA. It can be equally important to understand what is not PHI in HIPAA to prevent obstacles to communication and operational efficiency. To demonstrate this point using the example of Mrs. Doe’s name and telephone number –
If the same level of protection was applied to the identifying information maintained in a volunteer database as the identifying information in a designated record set, it may not be possible for the volunteer administrator to contact Mrs. Doe if the nursing staff required more volunteer assistance on a particular shift. This could be because the volunteer administrator did not have sufficient permissions to access a protected designated record set containing Mrs. Doe’s telephone number.
While this is a very simple example to explain why it is important to understand what is – and what isn’t – PHI in HIPAA, similar scenarios could be applied to many different uses of individually identifiable non-health information that could be secured more than necessary due to a misunderstanding of what is PHI in HIPAA. If you are responsible for compliance in an organization, and you are not sure you understand what PHI is in HIPAA, you should seek compliance advice.
The post What is PHI in HIPAA? appeared first on HIPAA Journal.
ProSmile Holdings Notifies Patients About July 2022 Data Breach – HIPAA Journal
ProSmile Holdings Notifies Patients About July 2022 Data Breach
ProSmile Holdings, LLC, a New Jersey dental service organization, started notifying patients on December 22, 2023, about a breach of its email environment. Suspicious activity was detected in July 2022, and a third-party cybersecurity company was engaged to investigate the unauthorized activity and determine if any sensitive data had been exposed or compromised. ProSmile Holdings was notified on December 1, 2022, that numerous email accounts had been compromised and accessed without authorization, and personal and protected health information may have been accessed or acquired.
On January 27, 2023, ProSmile Holdings engaged a vendor to conduct a review of the affected files, and the review was completed on November 29, 2023. The compromised information included names, dates of birth, Social Security numbers, driver’s license or other state identification card numbers, financial account numbers, payment card numbers, medical treatment information, diagnosis or clinical information, provider information, prescription information, and health insurance information.
ProSmile Holdings made an announcement about the data breach on March 28, 2023, but was unable to confirm at that time how many individuals had been affected or what data had been exposed. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
It is also unclear why it took 5 months to discover that patient data was involved, a further two months to initiate a document review, and 10 months to complete that review. The first announcement about the breach was not made for 7 months, and it has taken 17 months for individual notifications to be issued.
Valley Health System Affected by Data Breach at ESO Solutions
Valley Health System in Las Vegas has confirmed that it was affected by a ransomware attack and data breach at its software vendor, ESO Solutions, in late September. ESO notified Valley Health System about the breach in late October and confirmed that patient names, phone numbers, addresses, and some personal or health information were compromised. The breach has affected 5 Valley Health System hospitals: Centennial Hills Hospital, Desert Springs Hospital, Spring Valley Hospital, Summerlin Hospital, and Valley Hospital. The affected individuals were notified about the breach on December 12, 2023.
The post ProSmile Holdings Notifies Patients About July 2022 Data Breach appeared first on HIPAA Journal.
Is Google Workspace HIPAA Compliant? Updated for 2026 – The HIPAA Journal
Is Google Workspace HIPAA Compliant? Updated for 2026 The HIPAA Journal
Before HIPAA and privacy laws… | Today In History News – Page Valley News
Before HIPAA and privacy laws… | Today In History News Page Valley News
Before HIPAA and privacy laws… | Today In History News – Page Valley News
Before HIPAA and privacy laws… | Today In History News Page Valley News
The Comprehensive History of HIPAA to the Current Day – HIPAA Journal
The Comprehensive History of HIPAA to the Current Day HIPAA Journal