Created or received by a health care provider, health plan, employer, or health care clearinghouse; and
Relates to the past, present or future physical or mental health or condition of an individual, provision of health care to an individual or payment for the provision of health care to an individual; and
Identifies the individual or could be used to identify the individual.

The term "individual" includes deceased persons and may include minors.

Typically, the following types of records and activities involve Protected Health Information and are subject to regulation:

Medical records, including electronic and paper medical records consisting of case histories, clinical records, diagnostic films and test results as well as treatment charts and progress reports. Medical information transmitted orally may also be considered Protected Health Information.
Other health information, including insurance information such as claims submission, adjudication and payment, eligibility determination and reporting, utilization review, referrals and authorizations, grievance and appeals, and medical management information such as utilization management.

Top

Health information that has been "de-identified" is not subject to the regulations. When is information "de-identified?"

Information is de-identified if you have no reasonable basis to believe that the information can be used to identify a particular individual.

Information is presumed to be de-identified if the list of identifiers in the rule are removed and you do not have actual knowledge that the information could nonetheless be used to identify an individual. Identifiers include:

-	Name
-	Address, including city, county and zip code
-	Dates, including birth date, admission date, discharge date and date of death
-	Telephone and fax numbers
-	Electronic mail addresses
-	Social security numbers
-	Medical record numbers
-	Health plan beneficiary number
-	Account number
-	Certificate/license number
-	Vehicle or other device serial number
-	Web URL
-	Internet Protocol address
-	Finger or voice prints
-	Photographic images
-	Any other unique identifying number, characteristic or code

Top

Implementation Tips

Protected health information transmitted in written or oral form is protected in the same manner as information transmitted electronically.
Protected health information includes genetic information.
If you want to be completely sure you have de-identified information, remove all the identifiers listed above and ensure you know of no other way the person could be identified. Think about other publicly available information that may make protected information identifiable.
The regulations do not prohibit use of identifiers, but only if the identifier cannot be linked to an individual. For example, you may be able to release information on hospital discharges of individuals in certain age groups, so long as no age category is limited to only one or two individuals, and the age groups are not also linked to another identifier such as zip code. Again, consider other publicly available information that may make protected information identifiable.
The OMA HIPAA Privacy Handbook provides that you may use codes and similar means of marking records so they may be linked or later re-identified if the code does not contain information about the subject of the information and if you do not use or disclose the code for any other purpose or disclosure the mechanism for re-identification.
Remember that whether an individual may be identified may differ depending on the circumstances. For example, information that does not single out any particular person in a heavily populated urban area may allow identification of the person in another, less populated area.

Top

Home | Contact Us
© Copyright 2008 OAHHS