The definition of protected health information is information including genetic and demographic

Book

In: StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2022 Jan.

2022 Feb 2.

Affiliations

• PMID: 31985924
• Bookshelf ID: NBK553131

Free Books & Documents

Book

Protected Health Information

Sasank Isola et al.

Free Books & Documents

Excerpt

According to the Health Insurance Portability and Accountability Act (HIPAA), protected health information (PHI) is any health information that can identify an individual that is in possession of or transmitted by a "covered entity" or its business associates that relates to a patient's past, present, or future health. This data includes demographic information. It also includes, but is not limited, to electronic and paper transmission. The term "covered entity" refers, but is not limited to, health care providers, insurance companies, and hospitals. PHI includes demographic identifiers, in medical records, like names, phone numbers, emails, and biometric information like fingerprints, voiceprints, genetic information, and facial images.

Copyright © 2022, StatPearls Publishing LLC.

Sections

• Definition/Introduction
• Issues of Concern
• Clinical Significance
• Nursing, Allied Health, and Interprofessional Team Interventions
• Review Questions
• References

Similar articles

• Patient Confidentiality.

  Tariq RA, Hackert PB. Tariq RA, et al. 2021 Oct 7. In: StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2022 Jan–. 2021 Oct 7. In: StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2022 Jan–. PMID: 30137825 Free Books & Documents.

• Health Insurance Portability and Accountability Act.

  Edemekong PF, Annamaraju P, Haydel MJ. Edemekong PF, et al. 2022 Feb 3. In: StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2022 Jan–. 2022 Feb 3. In: StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2022 Jan–. PMID: 29763195 Free Books & Documents.

• Complying with the Health Insurance Portability and Accountability Act. Privacy standards.

  Shuren AW, Livsey K. Shuren AW, et al. AAOHN J. 2001 Nov;49(11):501-7. AAOHN J. 2001. PMID: 11760704

• Roadmap to HIPAA: keeping occupational health nurses on track.

  Lucas B, Adams S, Wachs JE. Lucas B, et al. AAOHN J. 2004 Apr;52(4):169-77; quiz 178-9. AAOHN J. 2004. PMID: 15119817 Review.

References

1. 1. Burkle CM, Cascino GD. Medicine and the media: balancing the public's right to know with the privacy of the patient. Mayo Clin Proc. 2011 Dec;86(12):1192-6. - PMC - PubMed
2. 1. Goldstein MM, Pewen WF. The HIPAA Omnibus Rule: implications for public health policy and practice. Public Health Rep. 2013 Nov-Dec;128(6):554-8. - PMC - PubMed
3. 1. Colorafi K, Bailey B. It's Time for Innovation in the Health Insurance Portability and Accountability Act (HIPAA). JMIR Med Inform. 2016 Nov 02;4(4):e34. - PMC - PubMed
4. 1. Bowman MA, Maxwell RA. A beginner's guide to avoiding Protected Health Information (PHI) issues in clinical research - With how-to's in REDCap Data Management Software. J Biomed Inform. 2018 Sep;85:49-55. - PubMed
5. 1. Goldstein MM. Health information privacy and health information technology in the US correctional setting. Am J Public Health. 2014 May;104(5):803-9. - PMC - PubMed

Publication types

LinkOut - more resources

• Full Text Sources

  • NCBI Bookshelf

• Research Materials

  • NCI CPTC Antibody Characterization Program

• Miscellaneous

  • NCI CPTAC Assay Portal

What Health Information Is Protected by the Privacy Rule?

---

Key Points:

• With certain exceptions, the Privacy Rule protects a subset of individually identifiable health information, known as protected health information or PHI, that is held or maintained by covered entities or their business associates acting for the covered entity.
• The Privacy Rule does not protect individually identifiable health information that is held or maintained by entities other than covered entities or business associates that create, use, or receive such information on behalf of the covered entity.

---

To understand the possible impact of the Privacy Rule on their work, researchers will need to understand what individually identifiable health information is and is not protected under the Rule. With certain exceptions, the Privacy Rule protects a certain type of individually identifiable health information, created or maintained by covered entities and their business associates acting for the covered entity. This information is known as �protected health information� or PHI.

The Privacy Rule defines PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information.

There are, however, instances when individually identifiable health information held by a covered entity is not protected by the Privacy Rule. The Rule excludes from the definition of PHI individually identifiable health information that is maintained in education records covered by the Family Educational Right and Privacy Act (as amended, 20 U.S.C. 1232g) and records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records containing individually identifiable health information that are held by a covered entity in its role as an employer.

A critical point of the Privacy Rule is that it applies only to individually identifiable health information held or maintained by a covered entity or its business associate acting for the covered entity. Individually identifiable health information that is held by anyone other than a covered entity, including an independent researcher who is not a covered entity, is not protected by the Privacy Rule and may be used or disclosed without regard to the Privacy Rule. There may, however, be other Federal and State protections covering the information held by these entities that limit its use or disclosure.

When health information is individually identifiable and is held by a covered entity, it is likely to be PHI. In contrast, the HHS Protection of Human Subjects Regulations describe �private information� as including information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Under the HHS Protection of Human Subjects Regulations, private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects unless data are obtained through intervention or interaction with the individual.

Area of Distinction	HIPAA Privacy Rule	HHS Protection of Human Subjects Regulations Title 45 CFR Part 46	FDA Protection of Human Subjects Regulations Title 21 CFR Parts 50 and 56
Identifiable Information	Defines PHI as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records.	Private information must be individually identifiable in order for obtaining the information to constitute research involving human subjects. Individually identifiable means the identity of the subject is or may readily be ascertained by the investigator or associated with the information.	Title 21 CFR Parts 50 and 56 do not define individually identifiable health information.

What are 3 types of protected health information?

Does protected health information include demographic information?

How is protected health information defined?

Is PHI a demographic?