The HIPAA Privacy Rule applies to psychiatrists who meet the definition of a Covered Entity (CE) which protects individually identifiable health information held or transmitted by a CE. It is important to keep in mind that state privacy laws which are often more protective than HIPAA must also be followed. But what is “individually identifiable health information” under HIPAA?
Individually identifiable health information is referred to as protected health information (PHI) and includes information relating to:
- The individual’s past, present, or future physical or mental health or condition;
- The provision of health care to the individual; or
- The past, present, or future payment for the provision of health care to the individual.2
Specifically, the Privacy Rule specifies eighteen items that transform health information into PHI:
- All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Phone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social Security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data).
It is important to note that health information and the identifiers only constitute PHI when they are used together. When used in isolation, neither health information nor the identifiers constitutes PHI.3 All psychiatrists, whether or not they are CE’s under HIPAA must also remember to be aware of state regulations regarding patient confidentiality and protected health information. Please consult with your attorney or risk management professional with questions regarding the transmitting of PHI.
- 45 CFR 160.103.
- American Psychiatric Association, “Privacy Manual Update, A Guide for Your Psychiatric Practice,” (2013).
- UC, Berkley, Research Administration and Compliance, “HIPAA PHI: List of Identifiers and Definition of PHI,” http://cphs.berkeley.edu/hipaa/hipaa18.html (Last accessed 10/27/15).