Corporate Compliance

Tip: Restrict PHI disclosures

Compliance Monitor, December 15, 2010

The HIPAA Privacy Rule requires that access to and disclosure of protected health information (PHI) be limited to the minimum necessary, with some exceptions, such as for treatment. The HITECH Act modifies that requirement so that covered entities will be in compliance if the PHI access, use, and disclosure are limited to either the minimum necessary or a “limited data set.”

The Privacy Rule permits a covered entity to use and disclose PHI in a limited data set without individual authorization for research, public health, and the covered entity’s healthcare operations. A limited data set must not include any direct identifiers for the individual, relatives, household members, or employers, including:

  • Name
  • Street address
  • Telephone and fax numbers
  • E-mail address
  • Social Security number
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • URLs and IP addresses
  • Full-face photos and any other comparable images

This week’s question and answer was adapted from The HIPAA and HITECH Toolkit: A Business Associate and Covered Entity Guide to Privacy and Security. For more information about the book or to order your copy, visit the HCMarketplace.

Most Popular