Have you sent or received a text or email appointment reminder? That text or email is “protected health information” (PHI), by itself, even without a diagnosis or medical information. Does it comply with HIPAA?
Medical Identity Theft is a National Crisis
Medical identity theft – the fastest growing form of identity theft – is when someone steals or uses your personal information (such as your name, Social Security number, or Medicare number) to submit fraudulent claims to Medicare and other health insurers without your authorization.
It’s profitable to criminals and surprisingly easy – only two things are needed for medical identity theft: the identity of a patient and the identity of a provider, according to the Inspector General of the U.S. Department of Health and Human Services (HHS). When covered entities and business associates miss the mark they can pay dearly in fines and lawsuits.
Protected health information (PHI) is the bedrock of HIPAA privacy but is widely misunderstood, causing organizations to violate HIPAA without knowing it. Most people think PHI includes a diagnosis or some kind of medical information – NOT true. It includes the name, Social Security number and Medicare number, but it also includes fifteen other types of information.
Protected health information is any piece of individually identifiable information connected to the provision of past, present or future health status, benefits or payment for health care. It does not need to contain or reveal medical information. HIPAA protects privacy by concealing clues that can be combined with other clues to uncover private information. A simple appointment reminder by text or email to a patient contains PHI.
Even one piece of individually identifiable information is a clue that can be linked to other publicly available information to create a pathway to our most private information.
Why and How Was PHI Defined?
Before HIPAA was amended to define PHI, an enterprising graduate student in information technology at MIT uncovered the pathway to private health information. In 1996 William Weld was governor of Massachusetts, and on a cool spring day he was about to receive an honorary degree from Bentley College and give the commencement speech, but he fell ill and was rushed to a hospital in front of television cameras. He had the flu, and soon recovered. But months later, the graduate student, Latanya Sweeney, pieced together publicly available information with Massachusetts insurance data and found detailed hospital records of then-Massachusetts Governor William Weld.
The Massachusetts Group Insurance Commission (GIC) which released the insurance data to researchers, claimed the data had been “de-identified”, so how did Sweeney piece it together? Quoting from a 2010 UCLA article by University of Colorado law professor Paul Ohm:
“At the time GIC released the data, William Weld, then Governor of Massachusetts, assured the public that GIC had protected patient privacy by deleting identifiers. In response, then graduate student Sweeney started hunting for the Governor’s hospital records in the GIC data. She knew that Governor Weld resided in Cambridge, Massachusetts, a city of 54,000 residents and seven ZIP codes. For twenty dollars, she purchased the complete voter rolls from the city of Cambridge, a database containing, among other things, the name, address, ZIP code, birth date, and sex of every voter. By combining this data with the GIC records, Sweeney found Governor Weld with ease. Only six people in Cambridge shared his birth date, only three of them men, and of them, only he lived in his ZIP code. In a theatrical flourish, Dr. Sweeney sent the Governor’s health records (which included diagnoses and prescriptions) to his office.”
This easy path of clues to private information shocked privacy experts and Professor Sweeney became a key expert resource for HHS when it wrote the definition of protected health information.
The 18 “Identifiers” of PHI
The experts agreed, there should be eighteen separate identifiers, and only one needs to be included for it to be considered PHI. Any one of the following, if connected to the provision of past, present or future health care is PHI.
The full list of identifiers is:
- Dates directly related to an Individual, including birth, death, appointment, admission, discharge, etc.
- Telephone number
- Fax number
- Email address
- Social Security Number
- Medical Record Number (MRN)
- Health Plan beneficiary number
- Account Number
- Certificate/license number
- Vehicle Identifiers and serial numbers, including license plate numbers
- Device Identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address number
- Biometric Identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code capable of identifying the Individual and not used for any other purpose
The last one, number 18, is a catchall which describes “any other unique” identifier. It could be a tattoo or a birthmark unique to one person.
Was the appointment reminder by text or email a HIPAA violation? Read more about that here, but the short answer is yes, unless the patient consented in advance to receiving unencrypted electronic communication, after being warned of the risk of doing so.
HIPAA Compliance is a Blueprint for Preventing Medical Identity Theft
A strong HIPAA compliance program is the best defense against medical identity theft. A HIPAA Risk Analysis – easy to do with The HIPAA E-Tool® – provides guidance on how to reduce the risk of loss of protected health information, and what to do if it happens.
The HIPAA E-Tool® provides covered entities and business associates with their own HIPAA policies, access to the latest laws and regulations and answers to any HIPAA question. The Privacy Rule, Security Rule, Breach Notification Rule and Enforcement Rule are all covered, with step by step guidance to help you through.