HIPAA Protected Health Information - When Health Information Isn’t Protected

Many organizations don’t understand that not all health information is PHI and apply HIPAA more broadly than is required. This has implications for which organizations are considered Business Associates (because an organization must handle PHI to be considered a Business Associate) and how HIPAA is applied within Covered Entities and Business Associates. This post takes a deep dive into the definition of PHI to help organizations determine if and how HIPAA applies to them.

This post is part of a series that helps understand HIPAA applicability. For other posts in this series see:

• HIPAA Applicability - Understanding the Security, Breach Notification, and Privacy Rules*
• HIPAA Covered Entities - It’s More Than Just PHI
• HIPAA Business Associates - What’s Your Function?*
• HIPAA, HITECH, and HITRUST - It’s HI Time to Make Sense of it All

*These blogs have yet to be published and are coming soon.

Various terms throughout this post are linked to further definitions, either within this post or directly to definitions in laws and regulations.

TrustedSec has years of experience helping organizations meet HIPAA security and privacy compliance requirements. Please get in touch with us for any questions on this topic or if your organization needs assistance with its HIPAA Compliance program.

PHI Definition

PHI is defined in 45 CFR 160.103 as individually identifiable health information (IIHI) that is transmitted or maintained in electronic media or in any other form or medium.

Much of the confusion about the definition of PHI comes from the failure to understand that IIHI, as used in the definition of PHI, also has a very specific definition that is in turn based on the definition of health information.

The full definitions of IIHI and health information are available in 45 CFR 160.103, but a more descriptive definition of PHI can be created by merging these definitions.

To be IIHI, and therefore PHI, health information, including demographic information collected from an individual, must meet all of the following criteria:

• Is created or received by any of the following:
  • Health care provider
  • Health plan
  • Employer
  • Health care clearinghouse
• Relates to any of the following:
  • Past, present, or future physical or mental health or condition of an individual
  • Provision of health care to an individual
  • Past, present, or future payment for the provision of health care to an individual
• That either:
  • Identifies the individual
  • There is a reasonable basis to believe the information can be used to identify the individual

The part of this definition that is often overlooked is that information must be created or received by one of the specific organization types listed above in order to be considered IIHI and therefore PHI. Each of these organization types is defined in more detail below, along with the definition of health care.

The definition of PHI explicitly excludes any of the following, which are in turn excluded from the definition of Electronic Protected Health Information (ePHI):

• Education or treatment records covered by the Family Educational Rights and Privacy Act (FERPA)
• Employment records held by a Covered Entity in its role as employer
• Records of a person who has been deceased for more than 50 years

The following flowchart can help organizations determine whether information is PHI based on this definition:

ePHI Definition

The definition of ePHI is also in 45 CFR 160.103 and is simply PHI that is transmitted or maintained in electronic media.

Electronic media is also defined in 45 CFR 160.103 to include both of the following:

• Electronic storage material on which data is or may be recorded electronically, for example:
  • Devices in computers (hard drives)
  • Removable/transportable digital memory medium, such as:
    • Magnetic tape or disk
    • Optical disk
    • Digital memory card
• Transmission media used to exchange information already in electronic storage media, for example:
  • The Internet
  • Extranet or intranet
  • Leased lines
  • Dial-up lines
  • Private networks
  • The physical movement of removable/transportable electronic storage media

There is a notable exception in the definition of ePHI: The definition of electronic media, upon which the definition of ePHI is based, states that paper transmitted by facsimile (fax) and voice transmissions via telephone are not considered electronic if “the information being exchanged did not exist in electronic form immediately before the transmission”. This means these transmissions would not be considered ePHI and therefore would not be subject to the Security Rule. The health care field has clung to fax for much longer than many other industries likely due, at least in part, to this exception.

This exception isn’t as simple as it seems though, as this exception was written at a time when telephones and fax machines were standalone devices connected directly to a public switched telephone network. The exception was never meant to cover:

• Voice over Internet Protocol (VoIP)
• Fax via Internet
• All-in-one printer/scanner/copier/fax devices that are connected to a network and/or scan and internally store documents before transmission

The Department of Health and Human Services (HHS) covered this in the 2013 Omnibus Rule that updated HIPAA to align with HITECH. The word “immediately” was added to the exception text specifically to cover faxes and an explanation in the Final Rule made clear that information stored in office equipment including copiers and fax machines must be protected even if stored unintentionally.

Health Care Provider Definition

A health care provider is defined in 45 CFR 160.103 as any of the following:

• A provider of services
• A provider of medical or health services
• Any other person or organization who furnishes, bills, or is paid for health care in the normal course of business

The definition of medical and other health services is a long and complicated list of services and items. This list has indenting that is hard to follow and multiple apparent typos that would literally take an act of Congress to fix. There are also a few lines at the end that create some exclusions in a very confusing manner by referencing other definitions that in turn have their own definitions and exclusions.

Health Plan Definition

Health plans are defined in 45 CFR 160.103 as an individual or group plan that provides, or pays the cost of, medical care.

The definition of a health plan includes the following, singly or in combination:

• A group health plan
• A health insurance issuer
• An HMO
• Part A or Part B of the Medicare program
• The Medicaid program
• The Voluntary Prescription Drug Benefit Program
• An issuer of a Medicare supplemental policy
• An issuer of a long-term care policy, excluding a nursing home fixed indemnity policy
• An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers
• The health care program for uniformed services
• The veterans health care program
• The Indian Health Service program
• The Federal Employees Health Benefits Program
• An approved State child health plan providing benefits for child health assistance
• The Medicare Advantage program
• A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals
• Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care

The definition of a health plan explicitly excludes both of the following:

• Any policy, plan, or program to the extent that it provides, or pays for the cost of, the following benefits:
  • Coverage only for accident, or disability income insurance, or any combination thereof
  • Coverage issued as a supplement to liability insurance
  • Liability insurance, including general liability insurance and automobile liability insurance
  • Workers' compensation or similar insurance
  • Automobile medical payment insurance
  • Credit-only insurance
  • Coverage for on-site medical clinics
  • Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits
• A government-funded program (other than ones explicitly listed above as health plans) that fit either of the following criteria:
  • Principal purpose is other than providing, or paying the cost of, health care
  • Principal activity is either:
    • The direct provision of health care to persons
    • The making of grants to fund the direct provision of health care to persons

Employer Definition

Employer is defined in 26 USC 3401(d) as the person for whom an individual performs or performed any service, of whatever nature, as the employee of such person, except:

• If the person for whom the individual performs or performed the services does not have control of the payment of the wages for such services, the term "employer" means the person having control of the payment of such wages
• In the case of a person paying wages on behalf of a nonresident alien individual, foreign partnership, or foreign corporation, not engaged in trade or business within the United States, the term "employer" means such person

Health Care Clearinghouse Definition

A health care clearinghouse is defined in 45 CFR 160.103 as a public or private entity, including a billing service, repricing company, community health management information system (CHMIS) or community health information system (CHIS), and “value-added” networks and switches, that performs either of the following functions:

• Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction
• Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity

Health Care Definition

Health care is defined in 45 CFR 160.103 as care, services, or supplies related to the health of an individual that includes, but is not limited to:

• Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body
• Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription