In this series on establishing security classifications for your company’s information, last week’s post looked at one aspect – the widely varying definitions of Protected Information under state PII breach notification statutes. But if your organization is a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), the definition of Protected Health information (PHI) is also a key puzzle piece for your classification scheme.

HIPAA establishes national standards for the use and disclosure of PHI, and also for the safeguarding of individuals’ electronic PHI, by covered entities and business associates. Merely having information commonly thought of as “protected health information” does not mean that HIPAA applies. And there are some surprises in which organizations are – and are not – covered by HIPAA. So, that’s the first question to answer – is your company a HIPAA covered entity or business associate?

Covered Entities and Business Associates

Under HIPAA, “covered entity” means (1) a health plan; (2) a healthcare clearinghouse; or (3) a healthcare provider that transmits any health information in electronic form in connection with a covered transaction. The “provider” and “clearinghouse” scenarios are fairly straight-forward, but “health plan” is less so. An employer’s self-funded or self-insured health plan is itself a HIPAA-covered entity, regardless of the company’s business or industry. On the other hand, various forms of insurance plans that commonly handle individuals’ health information are excluded from the definition of a covered entity health plan, such as accident or disability income insurance; liability insurance; workers’ compensation insurance; coverage for on-site medical clinics; and other insurance coverage in which benefits for medical care are secondary or incidental to other insurance benefits.

Business associate” includes persons or entities that create, receive, maintain, or transmit PHI on behalf of a covered entity for a function or activity regulated by HIPAA. “Business associate” also means persons or entities that provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if providing such services involves the disclosure to the person or entity of the covered entity’s PHI. This language is quite broad, encompassing many organizations that are not themselves a healthcare provider or health plan, but simply do business with one. And subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are also included in HIPAA’s business associate definition.

Definition of PHI

Under HIPAA, “PHI” means individually identifiable heath information that is transmitted or maintained in electronic media or in any other form or medium. “Individually identifiable health information” is information that:

  • Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; providing of healthcare to an individual; or the past, present, or future payment for providing healthcare to an individual; and
  • Either identifies the individual, or for which there is a reasonable basis to believe the information can be used to identify the individual.

If health information does not identify an individual, and there’s no reasonable basis to believe that the information can be used to identify an individual, then it’s not “individually identifiable health information.” Requirements for de-identification of PHI are set forth in HIPAA regulations, and they help by defining what is not PHI. Generally, PHI is de-identified if the following identifiers of the individual (or of relatives, employers, or household members of the individual) are removed, so long as the covered entity doesn’t have actual knowledge that the information could be used alone or in combination with other information to identify the individual. Fasten your seatbelts – it’s a long list:

  • Names;
  • All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of a ZIP code if, according to the current publicly available data from the Bureau of the Census:
    • The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
    • The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people are changed to 000.
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social Security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code (other than a permissible re-identification code under the HIPAA regulations).

The HIPAA regulations also contain some PHI exceptions. Individually identifiable health information is not PHI if the information is:

  • In education records covered by the Family Educational Rights and Privacy Act (FERPA); or
  • In certain student treatment records (defined in 20 U.S.C. § 1232g(a)(4)(B)(iv)); or
  • In employment records held by a covered entity in its role as employer; or
  • Regarding a person who has been deceased for more than 50 years.

Clear as mud? HIPAA can be counter-intuitive, so specific legal advice on its applicability and parameters is essential. But unless your company has correctly ruled out HIPAA as a consideration, the definition of PHI subject to HIPAA’s Privacy, Security, and Breach Notification Standards is a crucial part of establishing a security classification scheme for your organization. And yes, the HIPAA Security Standards are indeed focused on electronic PHI, but don’t be distracted by that – the HIPAA Privacy and Breach Notification Standards apply to PHI in any medium, including paper. An unauthorized disclosure of PHI in paper records will expose a HIPAA-covered entity or business associate to regulatory enforcement and severe penalties. And remember, if your company is not subject to HIPAA, you’ll nevertheless still need to safeguard individually identifiable health information and health insurance information under applicable state PII laws.

What’s next? Why, customer information of financial institutions, of course – and “financial institution” has a broader scope than many expect.