Guidelines Governing the Sharing or Disclosure of HIPAA Patient Health Information
What is HIPAA Protected Health Information (PHI)?
HIPAA (Health Insurance Portability and Accountability Act) provides comprehensive guidelines for the sharing and disclosure of Patient Health Information (PHI) through its five titles. Title II, known as Administrative Simplification (AS), is particularly significant. To uphold the privacy of health information in the healthcare system, HIPAA emphasizes AS stipulations, which prompt the American Medical Association’s HIPAA Overview [1] to establish national standards for electronic healthcare transactions.
AS focuses on creating national standards for electronic healthcare transactions and identifiers for healthcare providers, health insurance plans, and employers. Its provisions address the critical issue of maintaining the security and privacy of a patient’s health data. The most significant AS rules, recognized nationally and outlined in the HIPAA Administrative Simplification Rules at the National Library of Medicine [2], include:
- The Unique Identifiers Rule (National Provider Identifier)
- The Enforcement Rule
- The Privacy Rule
- The Security Rule
- The Transactions and Code Sets Rule
Exceptions Regarding HIPAA Protected Health Information
There are notable exceptions to the definition of PHI:
- Employer Records: Personal information about employees maintained as part of employment records by a covered entity acting as an employer is not considered PHI.
- Educational Records: Information recorded as part of educational pursuits, including professional training, is excluded from PHI as explained in the University of Michigan HIPAA Compliance Guide [3].
- FERPA Exceptions: The Family Educational Rights and Privacy Act (FERPA) Overview – U.S. Department of Education [4] defines specific clauses allowing certain information to be accessed or shared without notifying the individual.
What is Protected Health Information (PHI)? Understanding De-Identifiable Information
The Privacy Rule identifies exceptions to PHI known as De-identified Health Information, which can be disclosed without risking HIPAA non-compliance penalties. De-identified information is deemed insufficient to compromise an individual’s privacy. Intentional de-identification can be achieved through a formal process conducted by a qualified statistician, who removes specific identifiers to render the information non-identifiable. Common identifiers that may be removed to de-identify PHI include:
- Geographic classifications smaller than a state (e.g., district information)
- Date-based data
- Fingerprints or voiceprints
- Email IDs
- IP details
- Social Security Numbers (SSN)
- Health plan beneficiary numbers
- Personal account numbers (PAN)
- URLs
- Facsimile details
- License plate numbers
For official guidance on de-identification, see the HIPAA De-Identification Guidance – HHS Office for Civil Rights [5].
References
- HIPAA Overview – American Medical Association
- HIPAA Administrative Simplification Rules – National Library of Medicine
- HIPAA Compliance Guide – University of Michigan Health System
- Family Educational Rights and Privacy Act (FERPA) – U.S. Department of Education
- HIPAA De-identification Guidance – HHS Office for Civil Rights