Hipaa and Hitech - What is Protected health Information?
The Hipaa rules all speak of "protected health information," or Phi. What does that categorically cover? It is foremost to understand what it is so that you are sure you have the literal, protections in place. Let's examine the definition of Phi a bit here. The rule defines individually identifiable health information as:
Hipaa and Hitech - What is Protected health Information?
Individually identifiable health information is information that is a subset of health information, along with demographic information collected from an individual, and...
1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or health of an individual; the provision of health care to an individual; or the past, present, or future cost for the provision of health care to an individual; and 1. That identifies the individual; or 2. With respect to which there is a inexpensive basis to believe the information can be used to identify the individual.
It then goes on to define "protected health information" in this way: Protected health information, or Phi, is individually identifiable health information:
1. Transmitted by electronic media; or
2. Maintained in electronic media; or
3. Transmitted or maintained in any other form or medium.
What that tells us is that it covers health information in Any form. While the privacy rule applies to the information in any form, the security rule focuses on information that is created and stored electronically, along with spoken conversations.
What about De-Identified Information?
The rules do allow for the use of information if it is de-identified. What is foremost to remember here is that the rule includes several things that must be removed before something is determined de-identified. Here's the list:
(A) Names;
(B) All geographic subdivisions smaller than a state, along with street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, agreeing to the current publicly ready data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer population is changed to 000.
(C) All elements of dates (except year) for dates directly connected to an individual, along with birth date, admission date, dismissal date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a singular kind of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) public security numbers;
(H) curative narrative numbers;
(I) health plan beneficiary numbers;
(J) inventory numbers;
(K) Certificate/license numbers;
(L) vehicle identifiers and serial numbers, along with license plate numbers;
(M) expedient identifiers and serial numbers;
(N) Web Universal resource Locators (Urls);
(O) Internet Protocol (Ip) address numbers;
(P) Biometric identifiers, along with finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this
Historically, we have faithfully removed all demographic information from the headers of a report, and we have used the words "the patient" when a doctor dictates the name of the patient. If you categorically look at the above list, you will see that it's much more detailed than that. When a pacemaker is implanted, for example, the doctor gives the model number and serial number, right in the middle of the report. With (M) above, that narrative is not determined de-identified information.
The rule also states that the information must be such that a inexpensive man with a statistical background would not be able to figure out the person's identity. Lastly, it says that the covered entity must not have knowledge that the information could be used, alone or with other information, to identify the person.
It is valuable to understand the meaning of Phi and how it applies to your setting. It is also foremost that all persons involved in the workforce be clear on the definitions. Be sure you have explore these rules so you understand them and know how they apply to your work setting.
No comments:
Post a Comment