What is Considered Protected Health Information Under HIPAA?
Posted By HIPAA Journal on Mar 2, 2021
Share this article on:
Protected health information – or PHI – is often mentioned in relation to HIPAA and healthcare, but what is considered protected health information under HIPAA?
What is Considered Protected Health Information Under HIPAA Law?
If you work in healthcare or are considering doing business with healthcare clients that requires access to health data, you will need to know what is considered protected health information under HIPAA law. The HIPAA Security Rule demands that safeguards be implemented to ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places limits the uses and disclosures of PHI.
Violate any of the provisions in the HIPAA Privacy and Security Rules and you could be financially penalized. There are even criminal penalties for HIPAA violations. Claiming ignorance of HIPAA law is not a valid defense.
Protected Health Information Definition
Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses).
Health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact information. PHI relates to physical records, while ePHI is any PHI that is created, stored, transmitted, or received electronically.
PHI only relates to information on patients or health plan members. It does not include information contained in educational and employment records, that includes health information maintained by a HIPAA covered entity in its capacity as an employer.
PHI is only considered PHI when an individual could be identified from the information. If all identifiers are stripped from health data, it ceases to be protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.
What is PHI?
PHI is any health information that can be tied to an individual, which under HIPAA means protected health information includes one or more of the following 18 identifiers. If these identifiers are removed the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
How Must HIPAA Protected Health Information be Safeguarded?
The HIPAA Security Rule requires covered entities to protect against reasonably anticipated threats to the security of PHI. Covered entities must implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although HIPAA is not technology specific and the exact safeguards that should be implemented are left to the discretion of the covered entity.
HIPAA requires physical, technical, and administrative safeguards to be implemented. Technologies such as encryption software and firewalls are covered under technical safeguards. Physical safeguards for PHI data include keeping physical records and electronic devices containing PHI under lock and key. Administrative safeguards include access controls to limit who can view PHI information. It is a requirement that staff are provided HIPAA security awareness training.
What is the difference between PII, PHI, and IIHA?
PII is Personally Identifiable Information that is used outside a healthcare context, while PHI (Protected Health Information) and IIHA (Individually Identifiable Health Information) is the same information used within a healthcare context. Although PHI is the more commonly used acronym in HIPAA, both PHI and IIHI are protected by the Privacy and Security Rules because they mean exactly the same thing.
Would patient information such as “Mr. Brown from New York” be considered PHI?
Although there could be thousands of Mr. Browns in New York, there is likely no more than a handful of Mr. Kwiatowskis in Crivitz, WI. As it would be impractical for HIPAA to stipulate there has to be fewer than so many Mr. Xs in a population of Y before the two identifiers are considered to be PHI, all combinations of identifiers are consider PHI under HIPAA – even “Mr. Brown from New York”.
Are email addresses that don´t reveal a person´s name considered identifiers for PHI purposes?
It is quite simple to find out who an email address such as “[email protected]“ belongs to by doing a little research on social media or using a reverse email lookup tool on the Internet. Even if social media or a reverse lookup tool does not give you the individual´s name, you will still be able to find enough information about the individual for that information – with the email address – to be considered PHI.
What is the difference between an allowable disclosure of PHI and an incidental disclosure?
Covered entities are allowed to disclose PHI for treatment, payment, and health care operations. An incidental disclosure is a secondary, accidental disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another disclosure permitted by the Privacy Rule – for example, if a physician invites a health plan employee to his office to discuss payments, and the health plan employee passes a patient he or she recognizes in the waiting room.
How do you determine what a reasonably anticipated threat to PHI is?
All covered entities and business associates are required to conduct frequent risk analyses in order to identify threats to the integrity of PHI. If the threats could be reasonably anticipated, covered entities and business associates have to implement measures to protect against the threats, or mitigate the consequences if the threats were to materialize.
Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?
Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.
- A laboratory may fax, or communicate over the phone, a patient’s medical test results to a physician.
- A physician may mail or fax a copy of a patient’s medical record to a specialist who intends to treat the patient.
- A hospital may fax a patient’s health care instructions to a nursing home to which the patient is to be transferred.
- A doctor may discuss a patient’s condition over the phone with an emergency room physician who is providing the patient with emergency care.
- A doctor may orally discuss a patient’s treatment regimen with a nurse who will be involved in the patient’s care.
- A physician may consult with another physician by e-mail about a patient’s condition.
- A hospital may share an organ donor’s medical information with another hospital treating the organ recipient.
The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.
Date Created: 11/03/2003
Protected Health Information, or PHI, is the personally identifiable health information that HIPAA regulates and protects. But HIPAA was written nearly 20 years ago for a mostly analog world of paper files and physical x-rays—the iPhone wasn't even a dream. In today's world of wearables, health apps, genetic sequencing and more, getting a precise definition of PHI can be confusing for developers trying to parse whether they need to be HIPAA compliant or not.
In this post we're going to look at what PHI is, what it isn't, and how you can tell the difference. Hopefully you'll be able to use this as a reference when determining if the information you're collecting requires falls under the definition of PHI as outlined by HIPAA.
Covered Entities and Business Associates
Before we can talk about protected health information we need to first discuss two important definitions in HIPAA: Covered Entities and Business Associates.
A Covered Entity is anyone who provides treatment, payment and operations in healthcare. According to the U.S. Department of Health & Human Services (HHS) Healthcare Providers, Health Plans, and Healthcare Clearinghouses are all Covered Entities. Healthcare Providers include hospitals, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
Health Plans include health insurance companies, HMOs, company health plans, Medicare, and Medicaid. In addition, employers and schools that handle PHI in order to enroll their employees and students in health plans fall under the definition of a Health Plan.
Healthcare Clearinghouses are a bit harder to identify at first. A Clearinghouse takes in information from a healthcare entity, puts the data into a standard format, and then spits the information back out to another healthcare entity.
Covered Entities include:
- Doctors’ offices, dental offices, clinics, psychologists
- Nursing homes, pharmacies, hospitals or home healthcare agencies
- Health plans, insurance companies, HMOs
- Government programs that pay for healthcare
- Healthcare clearinghouses
A Business Associate is a vendor or subcontractor who has access to PHI. A more legalese definition of a Business Associate is any entity that uses or discloses PHI on behalf of a Covered Entity. Furthermore, a Business Associate is any person who, on behalf of a Covered Entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
Business Associates can be data storage or document storage services (it doesn’t matter if they can view the PHI that they maintain), providers of data transmission services, portals or other interfaces created on behalf of Covered Entities that allow patients to share their data with the Covered Entity, and electronic health information exchanges.
The Definition of PHI
Now that we have those definitions down we can define Protected Health Information. PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed to a covered entity and/or their business associate(s) in the course of providing a health care service, such as a diagnosis or treatment.
Protected Health Information (PHI) is the combination of health information and personally identifiable information (PII). Health information encompasses information that is created or received by a covered entity via any medium—verbal, written, electronically or otherwise. This information includes the physical or mental health condition of an individual at any point in time. PII falls under the umbrella of health information since it has the potential to reveal an individual's personal identity, which could then be linked back to the health information created or received by a covered entity.
Examples of PHI
Let’s look at some concrete examples of information that is considered PHI. If your business handles any of the information below in the service to, or on behalf of, a covered entity, then HIPAA compliance is not optional.
- Patient names
- Addresses — In particular, anything more specific than state, including street address, city, county, precinct, and in most cases zip code, and their equivalent geocodes.
- Dates — Including birth, discharge, admittance, and death dates.
- Telephone and fax numbers
- Email addresses
- Social Security numbers
- Driver’s License information
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certification/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Names of relatives
- Internet Protocol (IP) address numbers
- Biometric identifiers — including finger and voice prints.
- Full face photographic images and any comparable images.
Practically speaking, PHI can show up in a number of different documents, forms and communications, such as:
- Billing information from your doctor
- Email to your doctor's office about a medication or prescription you need
- Appointment scheduling note with your doctor's office
- An MRI scan
- Blood test results
- Phone records
Examples of Data Not Considered to be PHI
But not all personally identifiable information is PHI. For example, employment records of a Covered Entity and Family Educational Rights and Privacy Act (FERPA) records do not fall into the category of PHI because, despite the fact that they might contain personally identifiable information, it is not linked to health records that could compromise individual security.
In addition, some health information isn’t considered PHI because it isn’t personally identifiable or shared with a covered entity.
Examples of non-PHI data: - Number of steps in a pedometer - Number of calories burned - Blood sugar readings without personally identifiable user information (PII) (such as an account or user name) - Heart rate readings without PII
The test for PHI is pretty simple: if your device or application stores, records or transmits the user’s personally-identifiable health data to a covered entity then you are dealing with protected health information and need to be HIPAA compliant.
If you are building a wearable device or application that collects health information, but does not plan on sharing it with a covered entity at any point in time then you do not need to be HIPAA compliant. For example, the Nike Fuel Band does not track data considered protected health information because you can't transmit that data from the device to a covered entity.
No Safe Harbor for Accidental PHI
Penalties for HIPAA noncompliance are anything but lenient. Depending on the level of negligence, these fines can range from $100 to $50,000 for a single accidental violation, with a single violation due to willful neglect resulting in an automatic $50,000 fine. The fines and charges are broken down by type: “Reasonable Cause” and “Willful Neglect”.
Reasonable Cause fines can be anywhere from $100 to $50,000 per incident and does not involve any jail time. Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.
The maximum penalty for violations of an identical provision is $1.5 million per year. 2014 saw millions of patient records compromised due to breaches and millions of dollars in fines levied to the organizations who were responsible for protecting the data.
Unlike the Digital Millennium Copyright Act (DMCA), HIPAA does not include safe harbor for accidental storage or disclosure of PHI. The DMCA makes it easy for sites like YouTube to avoid being fined for hosting copyright material as long as those sites have a clear process for accepting and acting on content takedown requests. HIPAA has no similar rule. Therefore if your system houses PHI, even without your knowledge or consent, you are still liable under HIPAA.
For example, if you’re an anonymous mHealth messaging app that allows users to ask doctors questions about a condition without disclosing personally identifiable information, and a user discloses PHI, you’re liable for that information under HIPAA. There is no protection for you simply because that was not the intended use case for your application.
How to Become HIPAA Compliant
In order to become HIPAA compliant, there are four rules you need to be aware of and compliant with:
- HIPAA Privacy Rule
- HIPAA Security Rule, which spells out:
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and applies to health plans, healthcare clearinghouses, health care providers and their business associates.
In order to fulfill the requirements for the confidentiality, integrity, and security of PHI as specified under the HIPAA Security Rule, you must properly address the Physical, Technical, and Administrative safeguards mentioned above. These three safeguards include implementation specifications—some of which are “required,” while others are “addressable.” Those implementation specifications that are required must be implemented, while addressable implementation specifications are best practices which must be implemented if it is reasonable and appropriate to do so (the choice must be documented).
The HIPAA Enforcement Rule spells out in full the investigations, penalties, and procedures for HIPAA violation hearings, which we touched on briefly above.
Finally, the HIPAA Breach Notification Rule requires that you notify Health and Human Services (HHS), the media, and the public if the breach affects more than 500 patients.
For a detailed discussion of these of these four rules or more information on just what it takes to become HIPAA compliant, read the Developer’s Guide to HIPAA Compliance.
So now that you know what protected health information is and why it’s important, now’s a great time to go back and review the types of information you’re collecting to assess whether you need to be HIPAA compliant or not. With the increased scrutiny on HIPAA violations, the massive fines associated with breaches, and the lack of a safe harbor clause for unintentional PHI, it’s better to be safe than sorry when dealing with sensitive health information.
HIPAA Questions and Answers Relating to Research
I. The Basics
Question 1: As an employee of the JHM covered entity, how does the HIPAA Privacy Rule affect my research?
Answer: Under the HIPAA Privacy Rule you must meet certain requirements before using or disclosing individually identifiable health information for research. (These HIPAA requirements are in addition to IRB requirements under federal regulations for the protection of human subjects.)
The HIPAA Privacy Rule defines “individually identifiable” broadly, to include information such as name, address, or SSN, as well as “indirect identifiers” such as zip codes or date of birth, when attached to any health information.
A covered entity and its employees may not use or disclose individually identifiable health information (called “protected health information,” or “PHI”) for research, except in one of the following circumstances:
i) The patient has signed a written Authorization containing all the elements specified in the Privacy Rule;
ii) An IRB has waived or altered the requirement for HIPAA Authorization;
iii)The covered entity has “de-identified” the data prior to its use or disclosure for research; or
iv) The data are in the form of a “limited data set” containing no HIPAA “direct identifiers,” and” and the researcher has signed a HIPAA Data Use Agreement.
Question 2: What is the difference between HIPAA “Authorization” and informed consent?
Answer: Informed consent is required under federal research regulations for the protection of human subjects. The HIPAA Privacy rule, a different regulation, separately requires that patients give written Authorization before a covered entity may use or disclose patients’ protected health information for research. There are different requirements for the content of informed consent and HIPAA Authorization; however both may be combined in one form (see templates on the HIPAA forms page). An IRB may waive both consent and Authorization if the research meets all of the waiver criteria established by each of the applicable regulations.
Question 3: I plan to use de-identified information in my research. Do I still need to submit an eIRB application?
Answer: The answer depends upon whether the data already exist in de-identified form. If your research involves only the analysis of pre-existing data that have been fully de-identified to the HIPAA standard, you do not need to submit an application in eIRB, because such research involves neither PHI nor an identifiable human subject.
If, however, you wish to extract de-identified data from medical records or other identifiable sources, for use in your research or to create a de-identified database for future research, you must submit an Exempt Research Application and an Application for Waiver of HIPAA Privacy Authorization in eIRB. (See the JHM IRB guidance on Research Databases for additional information)
Question 4: Are outside parties involved in a research study "business associates" of Hopkins, and do we need a Business Associate Agreement with these parties?
Answer: No. Under the HIPAA Privacy Regulations, a business associate is a person or entity that receives protected health information ("PHI") from a covered entity and performs certain functions or activities on behalf of the covered entity. For example, The Johns Hopkins Hospital is a covered entity under HIPAA and its outside lawyers, consultants, and most contractors who receive PHI from JHH are business associates doing something on JHH's behalf. The HIPAA Privacy Regulations require Hopkins to enter into Business Associate Agreements with these entities. Although these entities are not covered entities themselves, they agree to treat the PHI they receive as if they were covered entities under HIPAA.
Although this analysis might seem to apply to some parties in a research context, it now is widely accepted that persons and entities who receive PHI from research organizations in the course of an approved research project are not the business associates of the research organization. For example, if a Johns Hopkins protocol has two sponsors and an entity performing the lab work for the study, these parties are not deemed to be acting on Johns Hopkins' behalf and are not its business associates. Rather, these entities all are parties necessarily involved in the common enterprise of the research project. In a clinical trial, these parties must be listed on the HIPAA Privacy Authorization as parties to whom PHI may be disclosed in the course of the study. If the IRB waives Authorization, all these parties must be listed in the IRB waiver application so that the IRB is aware that these parties will receive PHI and can assure that a proper plan is in place to protect the privacy of the PHI. In either case, Hopkins does not need to have a Business Associate Agreement with these parties.
Question 5: When might I need a HIPAA Data Use Agreement in connection with my research?
Answer: A Data Use Agreement is needed when a researcher wants to share PHI in the form of a Limited Data Set (defined as a data set that contains no identifiers other than certain "indirect identifiers") with someone not otherwise involved in the research protocol (i.e., someone who is not mentioned as receiving PHI in the Authorization or in the waiver of Authorization approved by the IRB). If the person or entity at the other site is part of the trial and is included in the Authorization or waiver of Authorization approval for the trial, you do not need a Data Use Agreement. Rather, a Data Use Agreement is used when, for example, you want to share a Limited Data Set of research data with a colleague at another institution not involved in the trial, or with a private registry not involved in the study. The JHM IRB must be notified if you plan to share a limited data set with a person not named in the original IRB application. If you disclose a Limited Data Set to another JHM researcher, that person must sign the one page Data Use Agreement on the JHM IRB website. If you will disclose a Limited Data Set to a non-JHM researcher, the recipient must sign the full JHM Data Use Agreement before research data containing PHI are shared.
Question 5(a): What about sharing data with a researcher at JHBSPH, or including JHBSPH faculty or students as members of my research team?
Answer: The HIPAA Privacy Rule permits a covered entity to exclude from covered status any of its components that do not perform “covered functions” (e.g., billing for clinical services). The SOM and JHBSPH have agreed that because JHSPH faculty do not perform covered functions for the JHBSPH, JHBSPH will be excluded from the JHM covered entity. This means, however, that when JHM PHI is shared with someone from the JHBSPH, this sharing is a “disclosure” of PHI and must be treated as any other disclosure of PHI to an outside entity. The SOM PI must track all disclosures of PHI to the JHBSPH to permit the SOM to account for these disclosures if required to do so under the Privacy Rule.
There is an exception to this general rule for disclosures to JHBSPH faculty or students who are formal members of a research team led by a SOM PI and have completed all required SOM HIPAA training. For the purpose of performing their responsibilities as research team members, such JHBSPH faculty/students are considered to be members of the SOM HIPAA “workforce” if they are acting under the direct control of the PI. SOM workforce members must abide by all JHM HIPAA policies, but the PI does not need to track disclosures of PHI to them.
Also, if the JHBSPH faculty and/or students are listed in the research authorization form as parties with whom the SOM PI will share PHI, the SOM PI does not need to track these disclosures.
Question 6: I am a researcher who has obtained a Certificate of Confidentiality for my study. Do I need a HIPAA Privacy Authorization when I already have a Certificate of Confidentiality?
Answer: Yes. Certificates of Confidentiality (CoCs) may protect the identities of research participants from compulsory disclosure in certain legal proceedings. However, COCs do not prevent voluntary disclosures of research information, nor do they negate the fact that researchers collect PHI from participants and that many persons both inside and outside of Hopkins will or may see the PHI (e.g., auditors, IRBs, investigators from governmental agencies, sponsors, etc.) Accordingly, the HIPAA Privacy Authorization must inform participants that, although JHM will keep their identifiable information confidential, there are certain people in and outside of Hopkins who will or may need to see the information, and that, because some of those people are not covered by the Privacy Rule, we cannot guarantee that they will all maintain the confidentiality of the information.
Question 7: How is the HIPAA Privacy Rule related to the HIPAA Security Rule?
Answer: Each is a separate regulation under the HIPAA statute. The Privacy Rule applies to all health information obtained or created by a covered entity, regardless of medium. The Security Rule applies to protected health information created or stored in an electronic form. The Security Rule establishes standards for how covered entities store, transmit, and safeguard “ePHI.” A researcher who fails to protect the security of PHI, by failing to follow JHM information security policies (e.g., password protection, encryption) may be violating both the Privacy Rule and the Security Rule. For more information about Security Rule requirements, contact the JH Information Security services.
[back to top]
Question 1: At what point in recruitment may we gather information about a potential participant (i.e., a potential participant calls our office after seeing a flier, may we screen that person/ ask them about their history, or do we need him or her to complete a written privacy Authorization prior to screening)?
Answer: If the IRB has approved your recruitment plan, including a partial waiver of Authorization to permit you to collect PHI for screening without written Authorization, you may take the person’s contact and screening information. You will need to advise the person that in order to evaluate whether he or she is a candidate for the research, you will need to share the caller’s information, and the caller may need to share information, with a limited number of others who staff the study. If the person is deemed to be a qualified candidate, then he/she will be asked to come in to sign an informed consent/privacy Authorization.
If the person is not deemed to be qualified, their information should be destroyed and not used for any other purpose, unless the IRB has waived authorization to permit the research team to retain information required by the sponsor or by FDA regulations.
Question 2: When a potential participant calls after seeing a flier, may we take a history from the participant to determine eligibility prior to receiving a written privacy Authorization if we do not record (either in a database or written form) the PHI given to us by the participant?
Answer: The answer is the same as in #1, above. Receipt of PHI occurs whether the information is written, electronic or verbal. The IRB must approve the recruitment plan to permit phone screening for eligibility. The PI or research team must receive the follow-up written Authorization before they may use the PHI for research.
Question 3: When the potential participant calls our office, may the staff member who took the call have another staff member (same research team) send materials to/contact the potential participant?
Answer: Yes. Anyone on the research team or staff may use the contact information to send materials to prospective subjects and to obtain the Authorization.
Question 4: If the clinician is also a researcher and he/she meets a potential participant for their study, can that clinician/researcher have one of his/her staff members screen the patient/potential participant’s chart?
Question 5: Is it possible to get a waiver from the JHM-IRB to screen patient charts without having each patient first sign a privacy Authorization form? If yes, what forms need to be filed with the JHM-IRB?
Answer: Yes. The form is HIPAA IRB Form 4, Application for IRB Waiver of HIPAA Privacy Authorization. The waiver must be granted by the IRB before charts are screened.
[back to top]
III. “Grandfathering” under HIPAA
Question 1: I know that the HIPAA Privacy Rule grandfathers some studies in which participants enrolled prior to 4/14/03 (or for which the IRB granted a waiver of consent prior to that date). Please define the term “enrolled” in reference to a participant being enrolled in a study prior to 4/14/2003. Does this mean that the participant must have signed a consent form prior to that date? Or can it mean that the participant and family have been entered into the database by that date?
Answer: “Enroll” means to have the participant sign an informed consent within the meaning of the Common Rule. If a participant signed an informed consent prior to 4/14/03, the participant does not need to sign a HIPAA privacy Authorization for the same study. However, after 4/14/03, a participant who is signing an informed consent (whether a new participant, or an old participant who is being re-consented) also must sign a privacy Authorization and/or an IRB approved new combined consent/HIPAA authorization document.
Question 2: Is the continuation of a study (i.e. new grant funding) using the same protocol number considered a “new” study under HIPAA guidelines?
Answer: No. HIPAA does not address what would make a study a new study. If the study is a new study under JHM practices or the Common Rule, then both a new informed consent and privacy Authorization, or an IRB approved waiver of consent/privacy authorization, would be required. If the study is not a new study under these criteria, then no new informed consent/privacy Authorization would be required.
Question 3: If we have information in a database that was collected with the written consent of the participants in the database prior to 4/14/2003, do we need a HIPAA waiver to maintain the database?
Answer: No. Any form of written consent obtained prior to 4/14/2003 will “grandfather” the data accumulated in the research database prior to that date. The consent does not need to meet the privacy Authorization criteria and no waiver by the IRB is needed. If, however, a researcher wishes to add patients to the database who did not sign a consent form prior to 4/14/2003, those patients must sign both a consent form and a HIPAA Authorization (may be combined in a single form; see IRB website), unless the IRB grants a waiver of consent and HIPAA Authorization.
[back to top]
IV. De-Identification and Re-Identification
Question 1: When does a unique identifying number become PHI? Is it always considered PHI?
Answer: HIPAA permits the use of unique identifying numbers in a de-identified data set, provided that the recipient of the data (e.g., the researcher), has no access to the linking code and no means of re-identifying the data. If a unique identifying number is kept to link otherwise de-identified data to the individuals in the study, the unique identifying number is and remains PHI with respect to anyone who can access the code key or re-identify the data subjects. If the unique identifying number is destroyed, the health information would thereafter be de-identified for all purposes (assuming all other HIPAA identifiers and links to identifiers are removed).
Question 2: HIPAA has many identifiers that must be removed to “de-identify” health information. Is any one of these identifiers, all by itself, PHI?
Answer: Not necessarily. PHI is information about the health of an individual, the health condition of an individual or the payment for health services rendered to an individual. If we just had a DOB and that DOB was not linked to any other health information and could not be sourced to a provider (e.g., JHM), the DOB alone would not be PHI. But if the DOB is coupled with other information, such as “was a patient at JHH,” or “was one of 15 enrollees in a particular study,” this combination would be PHI. We have taken the position that if we gain any information linked to a person’s status as a patient or a participant in a study, that information is PHI. (Note that if DOB is the only identifier coupled with health information or research data, the researcher could aggregate the DOBs into ranges, which would de-identify the information/data.)
[back to top]
V. Accounting for Disclosures
Question 1: As per the HIPAA regulations, we need to keep a log of all persons who have viewed PHI in our database in order to provide a list of disclosures, if and when a participant requests it. Do we need to log a new entry each time a member of our research team views the data, or do we only need to enter a new entry in the log when someone outside of the team views the data?
Answer: A “disclosure” is providing PHI outside the Hopkins’ workforce (NOTE: JH Bloomberg School of Public Health employees are not members of the Hopkins workforce unless they hold joint appointments and are conducting SOM research, or are faculty/students who are formal members of a research team led by an SOM PI (see Question 5a, above. Workforce members must complete all required SOM HIPAA training.) All Hopkins members of the research team may view the PHI without keeping a disclosure log. If, however, a researcher from another institution (or JHSPH) will receive JH PHI, that person’s accessing or viewing of the PHI will generally be a disclosure. This is not the case if the outside researcher meets criteria for a “workforce member” (contact the JH Privacy Office for more information).
HIPAA IRB Forms 8.1, 8.2, and 8.4 are required for disclosures of PHI outside of Hopkins’ workforce. The applicable form must be completed and a disclosure log kept unless one of the following applies: (1) the recipient of the PHI is a member of the JHM workforce, as described above; (2) the subject(s) have signed a HIPAA Authorization (or combination consent/authorization) naming the outside researcher(s) as recipients of PHI; or (3) the disclosure contains no identifiers other than the “indirect identifiers” permitted in a HIPAA Limited Data Set, and the recipient has signed the JHM Data Use Agreement with the outside researcher.
[back to top]
VI. Subject Requests for Access to Research Data or Test Results
Question 1: Do the HIPAA requirements allow for participants to request a copy of any structured interviews they completed/responded to as part of the study? What about the results of research laboratory tests?
Answer: Individuals have a right to a copy of their “designated record set”. This is defined as
Designated record set means:
(1) A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals
(2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
We are taking the position that a research record is not part of the “designated record set” and that only information that is entered into an individual’s medical record during the course of the research would be part of the “designated record set”. Of course, if the research involves treatment of a patient and there is only one “record”, the research and medical record could be the same.
This does not mean that the research record does not contain protected health information or PHI. In your question, if the interview included questions about health status or history, this would be PHI. But we do not believe it meets the above definition of “designated record set”, which requires providing a copy upon request by an individual. Also, the HIPAA Privacy Rule recognizes that under CLIA, research laboratories that do not have CLIA certification may not disclose the results of laboratory research tests to patients or their providers (see Organization Policy No. 101.2 "Research Laboratory Testing Results" .
You should know that this is not a settled area of the law. Different experts have different opinions. But until there is further clarification, this is our position on this issue. Consult OHSR about specific requests for provision of copies of research records or information to non-Hopkins entities.
[back to top]
VII. Access to PHI Created or Maintained by Non-JHM Providers
Question 1: I am enrolling subjects in a clinical study. If adverse events occur and my subjects are treated by a non-JHM provider, how may I obtain information about the subjects’ treatment?
Answer: A subject must sign an Authorization that allows the non-JHU provider to disclose PHI to you for the purposes of research involving that subject. It is helpful to obtain the subject’s express permission for such a disclosure in the Authorization form that the subject signs for your research study. The non-JHM provider may rely upon such Authorization; alternatively, the provider may ask the patient to sign the provider’s own Authorization, or may disclose the records directly to the patient.
[back to top]
VIII. International Research
Question 1: How does the HIPAA Privacy Rule affect international research?
Answer: The extent to which HIPAA applies to international research is currently a matter of debate; however, once identifiable health information is received by a covered entity, that information becomes PHI (with a narrow exception for overseas foreign nationals receiving health care from US agencies). This means that when a researcher sends identified health information collected internationally across a JHM network or stores such information on a JHM computer or server, the information becomes PHI.
Because HIPAA concepts can be difficult to translate in international studies, researchers have several options. The first is to ask the IRB to approve a simpler form of the required authorization language either within the body of the written consent itself or separately as the standalone form ["HIPAA Statement for International Research” form] and/or request approval to obtain Authorization in oral form. Another option, where cultural barriers are significant, is to request permission to exclude HIPAA language from the consent form and process. This may be most appropriate where no data will be transferred to the U.S. and subject to HIPAA protection.
[back to top]
Information protected is quizlet health
Health Insurance Portability and Accountability Act
HIPAA Privacy and Security Rules have substantially changed the way medical institutions and health providers function. The complex legalities and severe civil and financial penalties, as well as the increase in paperwork and implementation costs, have substantially impacted health care. All health professional must be trained in HIPAA and have an understanding of the potential pitfalls and acts that can lead to a violation.
Clinical Care Effects
HIPAA, combined with stiff penalties for violation, may result in medical centers and practices withholding life-saving information from those who may have a right to it and need it at a crucial moment. Through the HIPAA Privacy Rule, the US Government Accountability Office found that health care providers were "uncertain about their legal privacy responsibilities and often responded with an overly guarded approach to disclosing information. Ultimately, the solution is the education of all healthcare professionals and their support staff so that they have a full appreciation of when protected health information can be legally released.
Education and Training Effects
Education and training of healthcare providers and students are needed to implement HIPAA Privacy and Security Acts. Effective training and education must describe the regulatory background and purpose of HIPAA and provide a review of the principles and key provisions of the Privacy Rule.
HIPAA restrictions on research have affected the ability to perform chart-based retrospective research. This has made it challenging to evaluate patients prospectively for follow-up.
HIPAA Privacy rules have resulted in as much as a 95% drop in follow-up surveys completed by patients being followed long-term.
Recruitment of patients for cancer studies has led to more than 70% decrease in patient accrual and a tripling of time spent recruiting patients and mean recruitment costs.
Significant legal language required for research studies is now extensive due to the need to protect participant's health information. While such information is important, a lengthy legalistic section may make these complex documents less user-friendly for those who are asked to read and sign them.
Many researchers believe that the HIPAA privacy laws have a negative impact on the cost and quality of medical research.
HIPAA Privacy and Security Acts require all medical centers and medical practices to get into and stay in compliance. The costs of developing and revamping systems and practices and an increase in paperwork and staff education time have impacted the finances of medical centers and practices at a time when insurance companies and Medicare reimbursements have decreased. Ultimately, the cost of violating the statutes is so substantial, that scarce resources must be devoted to making sure an institution is compliant, and its employees understand the statutory rules.
HIPAA is a potential minefield of violations that almost any medical professional can commit. Staff with less education and understanding can easily violate these rules during the normal course of work. While a small percentage of criminal violations involve personal gain or nosy behavior, most violations are momentary lapses that result in costly mistakes. Writing an incorrect address, phone number, email, or text on a form or expressing protected information aloud can jeopardize a practice. HIPAA education and training is crucial, as well as designing and maintaining systems that minimize human mistakes.
Violations of HIPAA
For an individual who unknowingly violates HIPAA: $100 fine per violation with annual maximum of $25,000 for those who repeats violation. There is also $50,000 per violation, and an annual maximum of $1.5 million.
For a violation that is due to reasonable cause and not due to willful neglect: There is $1000 charge per violation, an annual maximum of $100,000 for those who repeatedly violates. There is also $50,000 penalty per violation and an annual maximum of $1.5 million.
For HIPAA violation due to willful neglect, with violation corrected within the required time period. There is $10,000 penalty per violation, an annual maximum of $250,000 for repeat violations. There is $50,000 penalty per violation with an annual maximum of $1.5 million.
For HIPAA violation due to willful neglect and not corrected. There is a penalty of $50,000 per violation, an annual maximum of $1,000,000, $50,000 per violation, and an annual maximum of $1.5 million.
For entities that are covered and specified individuals who obtain or disclose individually identifiable health information willfully and knowingly: The penalty is up to $50,000 and imprisonment up to 1 year.
For offenses committed under false pretenses, the penalty is up to $100,000 with imprisonment up to 5 years.
For offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm, the penalty is up to $250,000 with imprisonment up to 10 years.
The US Department of Health and Human Services Office for Civil Rights has received over 100,000 complaints of HIPAA violations, many resulting in civil and criminal prosecution.
Examples of HIPAA violations and breaches include:
Hospital staff disclosed HIV testing concerning a patient in the waiting room, staff were required to take regular HIPAA trainings, and computer monitors were repositioned.
Office manager accidentally faxed confidential medical records to an employer rather than a urologists office, resulting in a stern warning letter and a mandate for regular HIPAA training for all employees.
Surgeon fired after illegally accessing personal records of celebrities, fined $2000 and 4 months in jail.
Private practice lost an unencrypted flash drive containing protected health information, fined $150,000 and required to install a corrective action plan.
Private physician license suspended for submitting patient bill's to collection firms with CPT codes that revealed patient diagnosis.
Texas hospital employee received an 18-month jail term for wrongful disclosure of private patient medical information.
Walgreen's pharmacist violated HIPAA and shared confidential information concerning a customer who dated her husband resulted in a $1.4 million HIPAA award.
Virginia employees fired for logging into medical files without legitimate medical need.
Employee fired for speaking out loud in the back office of a medical clinic after she revealed a pregnancy test result.
Sales executive fined $10,000 for filling out prior authorization forms and putting them directly in patient charts.
Six doctors and 13 employees were fired at UCLA for viewing Britney Spears medical records when they had no legitimate reason to do so.
Cardiac monitor vendor fined $2.5 million when a laptop containing hundreds of patient medical records was stolen from a car.
Washington State Medical Center employee fired for improperly accessing over 600 confidential patient health records.
An employee of hospital posted on Facebook concerning the death of a patient stating she "should have worn her seatbelt."
Hospital fined $2.2 million for allowing an ABC film crew to film two patients without their consent.
Cardiology group fined $200,000 for posting surgical and clinical appointments on a public, internet-accessed calendar.
Tricare Management of Virginia exposed confidential data of nearly 5 million people.
Cignet Health of Maryland fined $4.3 million for ignoring patient requests to obtain copies of their own records and ignoring federal officials inquiries.
Virginia physician prosecuted for sharing information with a patient's employer under false pretenses.
Tariq RA, Hackert PB. StatPearls [Internet]. StatPearls Publishing; Treasure Island (FL): May 9, 2021. Patient Confidentiality. [PubMed: 30137825]
Mermelstein HT, Wallack JJ. Confidentiality in the age of HIPAA: a challenge for psychosomatic medicine. Psychosomatics. 2008 Mar-Apr;49(2):97-103. [PubMed: 18354061]
Kessler SR, Pindek S, Kleinman G, Andel SA, Spector PE. Information security climate and the assessment of information security risk among healthcare employees. Health Informatics J. 2020 Mar;26(1):461-473. [PubMed: 30866704]
Iyiewuare PO, Coulter ID, Whitley MD, Herman PM. Researching the Appropriateness of Care in the Complementary and Integrative Health Professions Part 2: What Every Researcher and Practitioner Should Know About the Health Insurance Portability and Accountability Act and Practice-based Research in the United States. J Manipulative Physiol Ther. 2018 Nov - Dec;41(9):807-813. [PMC free article: PMC6684225] [PubMed: 30755332]
Liu X, Sutton PR, McKenna R, Sinanan MN, Fellner BJ, Leu MG, Ewell C. Evaluation of Secure Messaging Applications for a Health Care System: A Case Study. Appl Clin Inform. 2019 Jan;10(1):140-150. [PMC free article: PMC6393161] [PubMed: 30812040]
Berry MD., Thomson Reuters Accelus. Healthcare Reform. Enforcement and Compliance. Issue Brief Health Policy Track Serv. 2018 Dec 24;2018:1-38. [PubMed: 30681783]
Berry MD., Thomson Reuters Accelus. Business of Health. Business of Healthcare. Issue Brief Health Policy Track Serv. 2018 Dec 24;2018:1-60. [PubMed: 30681304]
Lam JS, Simpson BK, Lau FH. Health Insurance Portability and Accountability Act Noncompliance in Patient Photograph Management in Plastic Surgery. Ann Plast Surg. 2019 May;82(5):486-492. [PubMed: 30648996]
Reynolds RA, Stack LB, Bonfield CM. Medical photography with a mobile phone: useful techniques, and what neurosurgeons need to know about HIPAA compliance. J Neurosurg. 2019 Jan 04;132(1):260-264. [PubMed: 30611147]
Kels CG, Kels LH. Potential Harms of HIPAA. JAMA. 2018 Dec 11;320(22):2378-2379. [PubMed: 30535213]
Mattioli M. Security Incidents Targeting Your Medical Practice. MD Advis. 2018 Summer;11(2):4-10. [PubMed: 30570893]
Baker FX, Merz JF. What gives them the right? Legal privilege and waivers of consent for research. Clin Trials. 2018 Dec;15(6):579-586. [PubMed: 30280910]
Sims MH, Hodges Shaw M, Gilbertson S, Storch J, Halterman MW. Legal and ethical issues surrounding the use of crowdsourcing among healthcare providers. Health Informatics J. 2019 Dec;25(4):1618-1630. [PubMed: 30192688]
Kloss LL, Brodnik MS, Rinehart-Thompson LA. Access and Disclosure of Personal Health Information: A Challenging Privacy Landscape in 2016-2018. Yearb Med Inform. 2018 Aug;27(1):60-66. [PMC free article: PMC6115206] [PubMed: 30157506]
Bradley D. HIPAA compliance efforts. Pediatr Emerg Care. 2004 Jan;20(1):68-70. [PubMed: 14716172]
Butler M. Top HITECH-HIPPA compliance obstacles emerge. J AHIMA. 2014 Apr;85(4):20-4; quiz 25. [PubMed: 24834549]
White JM. HIPPA compliance for vendors and suppliers. J Healthc Prot Manage. 2014;30(1):91-7. [PubMed: 24707761]
McMahon EB, Lee-Huber T. HIPPA privacy regulations: practical information for physicians. Pain Physician. 2001 Jul;4(3):280-4. [PubMed: 16900255]
Bilimoria NM. HIPPA security rule compliance for physicians: better late than never. J Med Pract Manage. 2005 Jul-Aug;21(1):39-42. [PubMed: 16206804]
What does protected health information pertain to quizlet?
Click to see full answer.
Furthermore, which is an example of protected health information?
Health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact
Beside above, what controls the use and disclosure of protected health information? The Privacy Rule standards address the use and disclosure of individuals' health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used
Additionally, which of the following is an example of protected health information PHI?
Examples of PHIDates — Including birth, discharge, admittance, and death dates. Biometric identifiers — including finger and voice prints. Full face photographic images and any comparable images.
Which items are considered PHI?
PHI is health information in any form, including physical records, electronic records, or spoken information. Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual identifiers.
You will also like:
- Supercharged s550 mustang for sale
- Fox 6 morning news team
- Is peacock available on dish
- Office depot sales associate pay
- South jersey travel softball teams
- Macbook air 2010 latest os
- Modern family cast season 2
- Toyota model 1998 to 2008
- Accident in middletown de today
- Diy boho baby shower ideas
- Pillsbury chocolate chip muffin mix
Youth In the 8th grade, I moved to a new school. In the very first week, they organized a school dicotheque for high school, which I decided to drop by. There I did not know anyone, so after half an hour I was going to leave. I left the hall, took the key and went to the classroom, where all our things were.