The global COVID-19 pandemic has driven health care more into the virtual world at an unprecedented and historic pace, and the need to protect digital health data is now more pressing than ever. Does HIPAA provide the coverage to protect all health data currently being exchanged? The quick answer is no. However, understanding what HIPAA includes as “Protected Health Information (PHI)” is a fundamental concept for health tech leaders to grasp. HIPAA ONLY applies to PHI—not any other kind of information.
PHI is any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity. It can only be shared to provide health care services or secure payment for health care services. PHI can be in any form, including physical records, electronic records (often referred to as ePHI), or spoken information.
It’s important to note that PHI must be a combination of a personal identifier with some health information (anything about a person’s past, current, and future health such as diagnoses, health care coverage, payment for medical services, lab results, etc.). There are discrete categories of information that qualify as personal identifiers:
- Dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone/fax numbers
- Geographic data/address
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (e.g. retinal scan, fingerprints)
- Any unique identifying number or code
Under HIPAA, if health information is stripped of all identifiers that can tie the information back to an individual, it ceases to be PHI and the HIPAA rules no longer apply. However, the landscape is evolving to protect data beyond what is covered under HIPAA. Be aware of the new class of data protections that have already been passed in California and Virginia. For a full audit of data protect laws that affect your health tech, reach out to the Elevation Team.