Health Information Management

Q&A: What information needs to be compromised to constitute a HIPAA breach?

HIM-HIPAA Insider, February 15, 2011

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q. The Code of Federal Regulations, specifically 45 CFR 160.103, defines protected health information (PHI) and individually identifiable health information. Is the following information PHI?

A hospital sends a patient a letter that includes the patient’s name and address, patient number, admission date, account balance, and the hospital’s name; alternatively, the hospital sends a letter that includes the patient’s name and date of birth, patient number, date of service, medical record number, and the hospital’s name. If one of these letters is sent to someone other than the patient, is this considered a breach of PHI that requires patient notification?
A. Pursuant to 45 CFR 160.103, PHI is considered individually identifiable health information. A strict interpretation and an “on-the-face-of-it” reading would classify the patient name alone as PHI if it is in any way associated with the hospital. CFR states that PHI includes demographic information received by a healthcare provider and relating to the provision of healthcare. If the name of an individual is associated with a hospital and the hospital provided healthcare, it is demographic information and is considered PHI.
The additional information confirms that the content of the letter is PHI even though the letter does not specifically mention the health condition of the patient.
The regulation does not require a data set to include a certain number of identifiers to be considered PHI. It specifically states that if information identifies an individual, it is PHI.
The information included in the two example letters is clearly PHI. Sending the letter to the wrong individual would be considered a breach of unsecure PHI. After conducting a risk assessment to determine whether sending the letter to the wrong individual will cause harm to the affected patient, the hospital would be responsible for determining whether to notify the patient. The hospital must document its actions regardless of whether the incident is a notifiable breach (45 CFR 164.400–164.414).
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question in the February issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular