search

What is considered individually identifiable health information

1 years ago
Comments: 0
Views: 158

The Privacy rule defines three categories of protected health information (PHI): identifiable information (to which the rule applies), de-identified information (to which the rule does not apply), and a limited data set (a middle option, to which limited parts of the rule apply). Each is explained below.

Show

Identifiable information. The Privacy Rule defines "identifiable" information as information with any personal identifiers, as well as information about an individual, or his or her relatives, household members, or employer that alone or in combination could identify the individual. For more detail, see the list of 18 identifiers that must be removed to de-identify the information.

De-identified information. PHI that has been de-identified may be used without authorization and is not covered by the Privacy rule. Click here for a Fact sheet on De-Identification.

Limited data set. This is a data set that is not fully de-identified according to the Privacy rule regulations. While it excludes 15 of the 18 personal identifiers listed for de-identification, it allows the retention of :

Dates (e.g., date of birth, admission and discharge date)
Some geographic information (city, state and zip code but not street address) and other unique codes and characteristics that are not expressly excluded. Most Privacy Rule requirements do not apply to a limited data set used internally or disclosed (for example, disclosures do not have to be tracked). There are restrictions on the use of limited data sets including:

  • The limited data set option is available only for research, health care operations, and public health purposes.
  • AND, the following two requirements apply:
    1.  the covered entity may release only the minimum necessary information, so the intended recipient must indicate what is needed; and
    2.  the recipient must agree to a "data use agreement" which generally describes the permitted uses and disclosures of the information received and prohibits re-identifying or using this information to contact the individuals. A data use agreement is an agreement between the covered entity (perhaps via the Privacy Officer) and the recipient of the data. Note, a data use agreement is required for recipients that are both internal and external to the covered entity.

FAQ Topic: 

  • HIPAA

    Glossary

Individually Identifiable Health Information (IIHI)

Abbreviation(s) and Synonym(s):

Definition(s):

  Information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Source(s):
NIST SP 800-66 Rev. 1 from 45 C.F.R., Sec. 160.103

As Contained in the HHS HIPAA Rules

HHS Regulations (Relocated from § 164.501)
General Provisions: Definitions - Individually Identifiable Health Information - § 160.103

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

HHS Description
General Provisions: Definitions - Individually Identifiable Health Information

We proposed to define “individually identifiable health information” to mean information that is a subset of health information, including demographic information collected from an individual, and that:

(1) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and

(i) Which identifies the individual, or

(ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

In the final rule, we change “created by or received from a health care provider...” to “created or received by a health care provider... “ in order to conform to the statute. We otherwise retain the definition of “individually identifiable health information” without change in the final rule.

HHS Response to Comments Received
General Provisions: Definitions - Individually Identifiable Health Information

Comment: A number of commenters suggested that HHS revise the definitions of health information and individually identifiable health information to include consistent language in paragraph (1) of each respective definition. They observed that paragraph (1) of the definition of health information reads: “(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse...;” in contrast to paragraph (1) of the definition of individually identifiable health information, which reads: “(1) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse...” [Emphasis added.]

Another commenter asked that we delete from the definition of health information, the words “health or” to make the definition more consistent with the definition of “health care,” as well as the words “whether oral or.”

Response: We define these terms in the final rule as they are defined by Congress in sections 1171(4) and 1171(6) of the Act, respectively. We have, however, changed the word “from” in the definition of “individually identifiable health information” to conform to the statute.

Comment: Several commenters urged that the definition of individually identifiable health information include information created or received by a researcher. They reasoned that it is important to ensure that researchers using personally identifiable health information are subject to federal privacy standards. They also stated that if information created by a school regarding the health status of its students could be labeled “health information,” then information compiled by a clinical researcher regarding an individual also should be considered health information.

Response: We are restricted to the statutory limits of the terms. The Congress did not include information created or received by a researcher in either definition, and, consequently, we do not include such language in the rule's definitions.

Comment: Several commenters suggested modifying the definition of individually identifiable health information to state as a condition that the information provide a direct means of identifying the individual. They commented that the rule should support the need of those (e.g., researchers) who need “ready access to health information... that remains linkable to specific individuals.”

Response: The Congress included in the statutory definition of individually identifiable health information the modifier “reasonable basis” when describing the condition for determining whether information can be used to identify the individual. Congress thus intended to go beyond “direct” identification and to encompass circumstances in which a reasonable likelihood of identification exists. Even after removing “direct” or “obvious” identifiers of information, a risk or probability of identification of the subject of the information may remain; in some instances, the risk will not be inconsequential. Thus, we agree with the Congress that “reasonable basis” is the appropriate standard to adequately protect the privacy of individuals' health information.

Comment: A number of commenters suggested that the Secretary eliminate the distinction between protected health information and individually identifiable health information. One commenter asserted that all individually identifiable health information should be protected. One commenter observed that the terms individually identifiable health information and protected health information are defined differently in the rule and requested clarification as to the precise scope of coverage of the standards. Another commenter stated that the definition of individually identifiable health information includes “employer,” whereas protected health information pertains only to covered entities for which employers are not included. The commenter argued that this was an “incongruity” between the definitions of individually identifiable health information and protected health information and recommended that we remove “employer” from the definition of individually identifiable health information.

Response: We define individually identifiable health information in the final rule generally as it is defined by Congress in section 1171(6) of the Act. Because “employer” is included in the statutory definition, we cannot accept the comment to remove the word “employer” from the regulatory definition.

We use the phrase 'protected health information' to distinguish between the individually identifiable health information that is used or disclosed by the entities that are subject to this rule and the entire universe of individually identifiable health information. 'Individually identifiable health information' as defined in the statute is not limited to health information used or disclosed by covered entities, so the qualifying phrase 'protected health information' is necessary to define that individually identifiable health information to which this rule applies.

Comment: One commenter noted that the definition of individually identifiable health information in the NPRM appeared to be the same definition used in the other HIPAA proposed rule, Security and Electronic Signature Standards (63 FR 43242). However, the commenter stated that the additional condition in the privacy NPRM, that protected health information is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form, appears to create potential disparity between the requirements of the two rules. The commenter questioned whether the provisions in proposed § 164.518(c) were an attempt to install similar security safeguards for such situations.

Response: The statutory definition of individually identifiable health information applies to the entire Administrative Simplification subtitle of HIPAA and, thus, was included in the proposed Security Standards. At this time, however, the final Security Standards have not been published, so the definition of protected health information is relevant only to HIPAA's privacy standards and is, therefore, included in Subpart E of Part 164 only. We clarify that the requirements in the proposed Security Standards are distinct and separate from the privacy safeguards promulgated in this final rule.

Comment: Several commenters expressed confusion and requested clarification as to what is considered health information or individually identifiable health information for purposes of the rule. For example, one commenter was concerned that information exists in collection agencies, credit bureaus, etc., which could be included under the proposed regulation but may or may not have been originally obtained by a covered entity. The commenter noted that generally this information is not clinical, but it could be inferred from the data that a health care provider provided a person or member of person's family with health care services. The commenter urged the Secretary to define more clearly what and when information is covered.

One commenter queried how a non-medical record keeper could tell when personal information is health information within the meaning of rule, e.g., when a worker asks for a low salt meal in a company cafeteria, when a travel voucher of an employee indicates that the traveler returned from an area that had an outbreak of fever, or when an airline passenger requests a wheel chair. It was suggested that the rule cover health information in the hands of schools, employers, and life insurers only when they receive individually identifiable health information from a covered entity or when they create it while providing treatment or making payment.

Response: This rule applies only to individually identifiable health information that is held by a covered entity. Credit bureaus, airlines, schools, and life insurers are not covered entities, so the information described in the above comments is not protected health information. Similarly, employers are not covered entities under the rule. Covered entities must comply with this regulation in their health care capacity, not in their capacity as employers. For example, information in hospital personnel files about a nurses' sick leave is not protected health information under this rule.

Comment: One commenter recommended that the privacy of health information should relate to actual medical records. The commenter expressed concern about the definition's broadness and contended that applying prescriptive rules to information that health plans hold will not only delay processing of claims and coverage decisions, but ultimately affect the quality and cost of care for health care consumers.

Response: We disagree. Health information about individuals exists in many types of records, not just the formal medical record about the individual. Limiting the rule's protections to individually identifiable health information contained in medical records, rather than individually identifiable health information in any form, would omit a significant amount of individually identifiable health information, including much information in covered transactions.

Comment: One commenter voiced a need for a single standard for individually identifiable health information and disability and workers' compensation information; each category of information is located in their one electronic data base, but would be subjected to a different set of use and transmission rules.

Response: We agree that a uniform, comprehensive privacy standard is desirable. However, our authority under the HIPAA is limited to individually identifiable health information as it is defined in the statute. The legislative history of HIPAA makes clear that workers' compensation and disability benefits programs were not intended to be covered by the rule. Entities are of course free to apply the protections required by this rule to all health information they hold, including the excepted benefits information, if they wish to do so (for example, in order to reduce administrative burden).

Comment: Commenters recommended that the definition of individually identifiable health information not include demographic information that does not have any additional health, treatment, or payment information with it. Another commenter recommended that protected health information should not include demographic information at all.

Response: Congress explicitly included demographic information in the statutory definition of this term, so we include such language in our regulatory definition of it.

Comments: A number of commenters expressed concern about whether references to personal information about individuals, such as “John Doe is fit to work as a pipe fitter ...” or “Jane Roe can stand no more than 2 hours ...”, would be considered individually identifiable health information. They argued that such “fitness-to-work” and “fitness for duty” statements are not health care because they do not reveal the type of information (such as the diagnosis) that is detrimental to an individual's privacy interest in the work environment.

Response: References to personal information such as those suggested by the commenters could be individually identifiable health information if the references were created or received by a health care provider, health plan, employer, or health care clearinghouse and they related to the past, present, or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Although these fitness for duty statements may not reveal a diagnosis, they do relate to a present physical or mental condition of an individual because they describe the individual's capacity to perform the physical and mental requirements of a particular job at the time the statement is made (even though there may be other non-health-based qualifications for the job). If these statements were created or received by one of more of the entities described above, they would be individually identifiable health information.

What is not individually identifiable health information?

If the information is not individually identifiable, such as healthcare research information that only identifies a particular population, not individuals, then it is not protected by HIPAA. In research, this can get complicated, and further inquiry should be made when seeking a determination on a small population.

What are examples of identifiable health information?

Individually identifiable health information includes many common identifiers such as:.
Address..
Any Date (birth date, admit date, appointment date, discharge date).
Social Security Number..
Bear Number..
Telephone and Fax numbers..
Electronic (email) addresses..

Is PHI individually identifiable health information?

Defines PHI as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records.

How many individually identifiable health identifiers are specified by HIPAA?

HIPAA PHI: Definition of PHI and List of 18 Identifiers.

considered individually identifiable health information

Related Posts

The definition of protected health information is information including genetic and demographic
The definition of protected health information is information including genetic and demographic

Authorization for the social security administration to release information
Authorization for the social security administration to release information

Department of health and human services san antonio texas
Department of health and human services san antonio texas

How much does health insurance cost for a small business per employee
How much does health insurance cost for a small business per employee

How are employer paid premiums for employee group health insurance normally treated for tax purposes
How are employer paid premiums for employee group health insurance normally treated for tax purposes

What does a psychiatric mental health nurse practitioner do
What does a psychiatric mental health nurse practitioner do

Psychiatric mental health nurse practitioner starting salary
Psychiatric mental health nurse practitioner starting salary

Is sending money through paypal considered a cash advance
Is sending money through paypal considered a cash advance

Information technology interview questions and answers pdf
Information technology interview questions and answers pdf

Empire blue cross blue shield health plus providers
Empire blue cross blue shield health plus providers

Advertising

LATEST NEWS

Rent to own houses in niles michigan
1 years ago . by NiceOriginality
No deposit bonus codes for lucky tiger casino
1 years ago . by CoarseUnhappiness
How to delete payment history on facebook messenger
1 years ago . by IcedBegun
Omeprazole 40 mg how long does it take to work
1 years ago . by UsualMorale
Bohemian rhapsody i want to break free
1 years ago . by Six-monthAllotment
How much money is grimmsnarl vmax worth
1 years ago . by DeplorableAgriculture
Apartments for rent in hyde park ma by owner
1 years ago . by IrreversibleMisery
How much is a bogus basin day pass
1 years ago . by GrievousSharpness
Does co signing for a car hurt your credit
1 years ago . by IndispensableSetup
How to delete all documents on mac
1 years ago . by UnifiedSubscription

Advertising

Populer

Advertising

About

Legal

Help

Social

homeenittrjazhko
Copyright © 2024 boxhoidap Inc.