HIPAA: Health Information that is Protected by Law

Health Information that is Protected


In this article, we will examine Protected Health Information in more detail. You will be given examples of PHI and learn how to de-identify health information, as well as what can be shared with the consent of the patient.

Section 1. Defining PHI

What is Protected Health Information? The privacy rule under HIPAA defines PHI as:

"Individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral".

PHI is a broad term that includes any past, present or future information regarding evaluation, treatment, or medical services in which there is personally identifiable information on file. This includes mental and physical health services, as well as laboratory and complementary health services. Also included in this definition is any payment information related to past, present, or future medical services.

Basically, if there is the ability to personally identify the patient based on information stored or transmitted in the above situations, this qualifies as PHI.

The following items can be used to identify the patient and are therefore classified as PHI:

  • Name
  • Date of Birth
  • Admission and discharge dates
  • Phone number
  • Street address, zip code, or county
  • Email address
  • Social security number
  • Birth certificate number
  • Photographs
  • Fingerprints
  • Drivers license number
  • Medical records number
  • Treatment dates and lists of services rendered

In addition to the above, PHI includes any single item of information in which it is reasonably or explicitly possible to identify the patient. Under the privacy rule, safeguards must be in place to prohibit unauthorized use of PHI and limited access by employees of the covered entity based on a need-to-know basis.

Section 2. De-identified Health Information

Health information that has been de-identified can be freely shared and is not subject to HIPAA regulation. De-identified means that there is no longer any information that could reasonably be used to identify the patient. This can be done by removing the personally identifiable information, including information about other members of the patient's family. This includes unique information, such as insurance identification numbers, as well as information about the patient's employer, recent medical services rendered, or medications prescribed.

It is up to the covered entity to certify that PHI has been sufficiently de-identified and to maintain strict controls around the access and transmission of personally identifiable information. There are two specific means of de-identifying PHI, according to HIPAA standards:

  1. HIPAA's "safe harbor" standard states that PHI is considered de-identified if all of the unique identifiers above have been removed, and there is no reasonable basis to believe that the remaining information could be used to identify a person.

In order to link records or transactions to specific individuals in the absence of personally identifying information, the covered entity will usually assign an alphanumeric code to the patient record, which does not identify the patient to outside entities, but can be matched up with personal patient data for internal uses approved by HIPAA.

  1. The "statistical" standard requires examination of the data by a statistician or individual qualified to evaluate the likelihood of that the available information could be reasonably used to identify the patient. The statistician must document the process for evaluating the data and certify that the information on its own, or combined with other data, has a low likelihood of identifying the patient.

Section 3. Examples of PHI in Use

When an individual visits a medical facility, they fill out intake forms which include a notice of the facilities privacy practices under HIPAA. The patient must sign a form authorizing the facility to use their personal information in order to perform services and submit bills for services rendered.

Some of the ways in which protected health information may be used after it is obtained include the following:

Scenario 1 - When you visit your physician, there is often information obtained by a nurse, physician, or dietitian that is added to your patient record. The information is personal to you and it may be possible to identify you based on the information provided, either on its own, or in conjunction with other information. This personal information will be used to evaluate your condition and develop a treatment plan if necessary. There may be numerous individuals in the office with access to the data, however they are considered covered entities as they are participants in your treatment and care.

Interested in learning more? Why not take an online HIPAA Compliance course?

Also, your doctor may correspond with other health care providers outside of his office regarding your treatment. This can include specialists, laboratory personnel, and your health plan. However, this is permissible, as the privacy rule allows standard communications regarding patient information between two covered entities.

Scenario 2 - An individual may be unexpectedly taken to the emergency room at the hospital due to an injury. The hospital will collect his personal information, as well as insurance information and submit a claim for payment to the individual's health plan. The claim will contain personally identifiable information, such as his name and date of birth, in addition to specifics about the encounter, such as the date of service and tests that were performed. This is allowable, as the health plan is a covered entity and electronic claim submissions adhere to HIPAA standards.

Scenario 3 – A medical practice must conduct periodic reviews of patient records in order to ensure that the best possible care is being administered by the facility. Reviews of medical records, as well as physician diagnosis and treatment plans and eventual outcomes, may be conducted in an effort to evaluate medical staff and the overall level of care.

In this scenario, the reviews conform to HIPAA privacy standards, as they are carried out by employees of the facility -- a covered entity. This type of role is usually assigned to a quality manager or senior doctor, which further minimizes the misuse of personal health information.

Food for Thought

What are your thoughts on PHI?
Do you think the list of items that qualify as PHI is exhaustive enough? What else might be added?


The HIPAA privacy rule goes to great lengths to ensure the reduction of fraud and abuse through regulating the use of personally identifiable health information. Covered entities must ensure compliance with privacy rule standards, or ensure that the information has been de-identified before transmitting to other parties.

Sharing PHI Without Patient Notification


In this article, you will learn the specific situations that do not require patient notification or authorization in order to release protected health information.

Section 1. Exceptions to the HIPAA Privacy Policy

Although the privacy rule has placed stringent parameters around the transmission of personal health information, it is recognized that health providers are required to maintain and transmit PHI in the course of conducting business. There are several situations in which the medical facility is not required to notify the patient or obtain written express permission for a disclosure.

The scenarios that do not require written patient authorization are:

  • A covered entity is allowed under the privacy rule to disclose protected health information to the patient or authorized representative without prior written approval.
  • A covered entity may also disclose PHI to aid in TPO, which is theacronym for "Treatment, Payment and Health Care Operations". These are the situations in which a medical provider (who is a covered entity) shares patient information with other covered entities or business associates, in an effort to treat the patient's illness, receive payment for services rendered, or to engage in quality checks and case management in an effort to enhance health care operations.

Protected health information is shared under the umbrella of TPO in almost every medical-related facility, from a large hospita,l to the corner drugstore and is defined below:

Treatment - This is defined as personal health information transmitted while in the act of providing, coordinating, or managing the health care of a patient. This includes consultations between doctors. An example is a primary care physician consulting with a specialist regarding a patient's diagnosis and treatment plan. Also included is information transmitted when referring a patient for outpatient laboratory testing or a diagnostic ultrasound.

Payment - This is defined as all activities that a provider of health service must undertake to receive payment for a health encounter. This includes submitting a claim to the patient's health plan for payment, checking patient eligibility and claim status, receiving and applying payment and rejections, as well as billing the patient for applicable co-pays and co-insurance.

Health Care Operations - In the course of business, a medical practitioner or establishment will engage in a number of administrative tasks to ensure the smooth and effective operation of the business. These tasks include audits of patient files, quality checks and improvement initiatives, staff competency and compliance evaluations, as well as administrative duties -- such as de-identifying PHI and creating data sets of patient information for research purposes.

  • Opportunity to Agree or Object - There are some instances in which there may not be time to obtain a formal written authorization. In these cases, it is permissible to obtain an informal verbal authorization from the patient or his authorized representative. Asking the patient outright can also be waived if there has been significant opportunity for the patient to agree or disagree to the request for disclosure. If the patient is incapacitated and there is no authorized representative, medical professionals may use their professional judgment and ethics in determining what information to disclose.

Informal authorization is also acceptable in the case of discussing treatment and outcomes with a patient's spouse and family members that are involved in the patient's care. Informal authorization is also applicable for the purposes of notifying family members responsible for the patient about their location, condition, or death.

  • Incidental Use and Disclosure - It is possible for protected health information to be disclosed in a situation for which the patient has not provided express written permission. However, it is considered permissible if this disclosure was incidental or related to another use or disclosure that the patient has given permission for.

This usage of PHI is acceptable as long as the covered entity can assure that there exists in the organization a reasonable safeguard against the misuse of PHI. Also, it is critical that the information shared adhere to the "minimum necessary" rule.

  • Public Interest and Benefit Activities - Otherwise protected health information can be released without patient consent in 12 scenarios, which are labeled as "national priority purposes." This is the release of personally identifiable health information to non-medical entities. In these situations, there seeks to be a balance between maintaining individual privacy rights and the need to identify someone to serve the interest of the public.

The scenarios that fall under the umbrella of public trust are as follows:

- Required by Law - Information may be provided by a covered entity to law enforcement officials to fulfill a court order, statute, or legal regulation.

- Public Health Activities - Covered entities can reveal protected health information to 1. Public health officials who are responsible for monitoring and stopping the spread of disease or injury. 2. FDA-regulated companies if there is data that would support the monitoring of effectiveness or adverse events related to their products.3. Individuals who may have been exposed to transmittable diseases that are tracked by the government and require reporting. 4. Information may be released to employers regarding employees in order to evaluate work-related illnesses or claims, manage workers compensation claims, and OSHA violations.

- Victims of Abuse, Neglect, or Domestic Violence - In cases of suspected abuse, it is permissible to report the incident to the authorities, including providing protected health information.

- Health Oversight Activities - Personally identifiable health information may be released to government agencies that are responsible for providing oversight for the health care system, including government health programs, such as Medicare and Medicaid.

- Judicial and Administrative Proceedings - PHI may be disclosed to the court system in response to a subpoena, court order or administrative tribunal. Notice should be sent to the subject of the order that their information has been shared.

- Law Enforcement Purposes - Protected health information may be shared with law enforcement officials under the following circumstances: 1. As required by law to adjudicate warrants or subpoenas. 2. To locate a suspect, witness, or fugitive. 3. Provide law enforcement officials with information on the victim, or suspected victim, of a crime. 4. To notify law enforcement in the case of a suspicious death, which may have resulted from criminal activity. 5. As evidence of a crime that occurred in the facility of a covered entity. 6. A covered entity may provide PHI in the case of an emergency involving one of its patients, even if the incident occurred offsite. Also to inform law enforcement about a possible crime, victims, perpetrators, or location thereof.

- Decedents - In the case of death, PHI can be disclosed to the coroner's office for identification purposes, and to determine the cause of death. PHI many also be released to the funeral home as needed.

- Organ Donation - PHI can be released by covered entities to facilitate the donation of cadaver organs and tissue.

- Research - PHI can be released in the case of medical research, provided the researchers warrant that the information is necessary for the preparation or execution of the research study and will not be used in any other way.

- Serious Threat to Health and Safety - PHI can be released without consent to law enforcement officials to aid in the capture of an escaped prisoner or a violent criminal. Protected health information can also be released if there is credible reason to believe that there is an imminent threat to an individual or the public at large.

- Essential Government Functions- Covered entities are allowed to release protected health information for the completion of government duties and functions, including military missions, national security initiatives, protection of the President, for evaluating State Department employees and providing health services to inmates.

- Workman's Compensation- Covered entities may release PHI without authorization in the course of evaluating and certifying employee injury claims.

  • Limited Data Set- For the purposes of research, health care operations and public health, identifying information may be removed from a select group of patient records and the remaining data transmitted. There is limited data left, but what remains is able to be used for statistical, research, or policy-making purposes.

Food for Thought

Were you aware that there were so many instances in which PHI could be shared without patient authorization?
What are your thoughts regarding this?
Does this make you look at your own health information differently?


Although the HIPAA privacy policy strives to protect patients and limit disclosures of PHI, it also acknowledges that there are some instances in which disclosure is necessary to maintain the law, protect public interest, and expedite medical care.