Once or twice a week I get a question from an organization that is considered to be a healthcare covered entity (CE) or business associate (BA) under HIPAA (a U.S. regulation) asking about the types of information that is considered to be protected health information (PHI). Last week a medical devices manufacturer, that is also a BA, asked about this. I think it is a good time to post about this topic again.
If information can be attributed to a specific individual, including the data within medical devices that are used for treatment, payment or operations (TPO), and falls under the HIPAA definition of PHI, then CEs and BAs must ensure it is protected according to all the HIPAA Privacy Rules requirements, Security Rule requirements, and associated breaches must be responded to as required by the HITECH Act.
Under HIPAA PHI includes:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and
(S) Genetic Information (In 2010 “genetic information” was added to this list. (See Regulations Under the Genetic Information Nondiscrimination Act of 2008; Final Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/genetic/ginafinalrule.pdf))
Notice that (R) from above is a catch-all; if something is unique to an individual and could identify that individual, then it would be considered to be PHI and would need to be protected as such.
Important points to keep in mind:
- *ALL* PHI needs to be protected per HIPAA requirements.
- Even if individuals have put this same information online and it is publicly viewable, CEs and BAs must still protect that same information that they possess and/or access.
- Even if another organization makes the information freely available, CEs and BAs protect that same information that they possess.
It’s all about context, folks. Read more about that here.
Tags: HIPAA, HITECH, Information Security, infosec, medical devices, patient information, personal information, PHI, privacy, privacy professor, privacy risks, privacy rule, privacyprof, protected health information, Rebecca Herold, security rule