Question: Does a text message from a dentist that just says “Your appointment is Tuesday at 8:00 am” contain PHI?” Answer: Yes.
Protected health information (PHI) is central to HIPAA but is widely misunderstood. Many people believe PHI includes a diagnosis or some kind of medical information but this is not true. Learning what PHI is will help prevent HIPAA violations and keep patients’ data safe.
Exceptions to this general rule are that PHI may be used or disclosed for purposes of treatment, payment or health care operations without authorization. For example, a treating physician may disclose patient information to the hospital where the patient is located, if it’s for the purpose of treatment. A medical practice may disclose PHI to an insurer, if it’s for the purpose of payment. The “minimum necessary standard” always applies, meaning that only the minimum amount of information required for the purpose should be disclosed. And whenever PHI is disclosed, it must be done in a way to protect its privacy and security.
Protected health information is any one piece of individually identifiable information connected to the provision of past, present or future health status, benefits or payment for health care. It does not need to contain or reveal medical information. A simple appointment reminder by text or email to a patient without any medical information contains PHI.
HIPAA protects privacy by protecting singular pieces of individual information that might be combined with other pieces of information to uncover a bigger picture. Even one piece of individually identifiable information is a clue that can be linked to other publicly available information to create a pathway to our most private information.
We last covered this topic in relation to Medical Identity Theft, where we discussed the origins of the PHI definition. In the late 90’s a curious graduate student in information technology at MIT figured out how to link separate identifiers to create a fuller picture. That student later became one of the experts advising HHS on writing regulations for the HIPAA Privacy Rule.
The 18 “Identifiers” of PHI
When “protected health information” was defined under HIPAA, privacy experts agreed there should be eighteen separate identifiers, and only one needs to be present for it to be considered PHI. Any one of the following, if connected to the provision of past, present or future health care is PHI.
The list of identifiers is:
- Dates directly related to an Individual, including birth, death, appointment, admission, discharge, etc.
- Telephone number
- Fax number
- Email address
- Social Security Number
- Medical Record Number (MRN)
- Health Plan beneficiary number
- Account Number
- Certificate/license number
- Vehicle Identifiers and serial numbers, including license plate numbers
- Device Identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address number
- Biometric Identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code capable of identifying the Individual and not used for any other purpose
The last one is a catchall which describes “any other unique” identifier. It could be a tattoo or a birthmark unique to one person.
Learn more about emailing and texting with patients under HIPAA here. Because HIPAA calls for secure methods of transmission of electronic PHI, a patient must consent in advance to receiving unencrypted electronic communication, after being warned of the risk of doing so.
Frequently Asked Questions about PHI
Question: Our appointment reminders do not contain names, or MRN numbers. Is it PHI?
Answer: Yes, the information is still considered PHI, because it contains a date, in connection with your office and future care. If the patient has not consented in advance to unencrypted text or email, this is an impermissible disclosure of PHI.
Question: We are a surgery medical practice. If I send information to our billing service provider that does not include names, only the medical record number, and dates of service, is that considered PHI?
Answer: Yes, the information is PHI, because it contains two identifiers, the MRN and the date, in connection with your office and future care. This is a permissible disclosure without authorization, so you may send the information because it’s for the purpose of payment. Make sure you have a business associate agreement in place, and send the information by a secure method like encrypted email.
Question: What if the patient wants to receive communication by unencrypted text or email from us?
Answer: Patients have the right to receive unencrypted email and text (and most prefer this convenience), but you must follow the HIPAA three-step safeguard to protect yourself if you’re a covered entity. Warn the patient of the risks to privacy and security of unencrypted communication (a “light warning”), let them choose, and document your warning and their choice.
Question: If a patient initiates emailing or texting doesn’t that mean they have authorized unencrypted communication?
Answer: No. HIPAA requires covered entities to follow the three-step safeguard mentioned above. You cannot assume patients understand the risks, and you are required to provide the warning.
Question: Once a patient authorizes unencrypted communication, may we use regular email to send their PHI to others (e.g., other providers, the insurer)?
Answer: No. Their authorization only applies to communication with them. Always use secure methods of transmission for PHI.
Stay Up to Date on HIPAA Compliance
Don’t get caught up in HIPAA myths and misunderstandings.
Once you have a strong HIPAA compliance program in place, you’ve done most of the work to protect patients’ PHI. It’s also important to review the rules to make sure you understand the basics and are keeping up. With The HIPAA E-Tool® it’s easy to stay on top of compliance with step-by-step guidance and answers when you need them. to help you through.