Understanding Protected Health Information (PHI): What we need to know 🔎
As a fellow clinician and co-founder of Note Designer software, I take data privacy issues and concerns very seriously and have been working to find a balance between easing clinical burden while safeguarding the confidentiality of our work. Protected Health Information (PHI) is a critical concept for mental health professionals to understand, as it is integral to maintaining patient confidentiality and compliance particularly vis a vis the Health Insurance Portability and Accountability Act (HIPAA). Let’s take a closer look at what exactly constitutes PHI as we navigate the – sometimes murky – waters of dealing with clinical privacy in the digital age.
PHI refers to any information in a clinical health record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service, such as a psychotherapy treatment. HIPAA regulations are in place to protect this information in order to respect patient privacy and confidentiality. For mental health professionals, ensuring the confidentiality of PHI is paramount particularly due to the sensitive nature of the information discussed in therapy or counselling sessions.
The 18 identifiers that HIPAA recognizes as PHI include:
2) All geographical identifiers smaller than a state (except for the initial three digits of a ZIP code if, according to the current publicly available data from the U.S. Bureau of the Census, the geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people).
3) Dates (other than year) directly related to an individual (such as Date of Birth)
4) Phone numbers.
5) Fax numbers.
6) Email addresses.
7) Social Security numbers.
8) Medical record numbers.
9) Health insurance beneficiary numbers.
10) Account numbers.
11) Certificate/license numbers.
12) Vehicle identifiers and serial numbers, including license plate numbers.
13) Device identifiers and serial numbers.
14) Web Uniform Resource Locators (URLs).
15) Internet Protocol (IP) address numbers.
16) Biometric identifiers, including finger and voice prints.
17) Full face photographic images and any comparable images.
18) Any other unique identifying number, characteristic, or code, except as permitted for re-identification purposes under HIPAA.
When PHI is electronically received, transferred, transmitted, saved or stored (e.g., emails, text messages, on a computer) it is referred to as ePHI (Electronic Private Health Information). It is important to note that all HIPAA privacy rules also include this special (and now most common) class of PHI.
The list of 18 HIPAA identifiers seems quite comprehensive and yet, because it has not been updated in several years (first published in 1999), it may be due for some expansion and revision. In an age of social media, for instance, individuals may also be readily identified by such things as profiles names, avatars, and aliases. When it comes to understanding what constitutes PHI, we must give some thought to whether the information directly or even indirectly can reveal the identity of the person in question if read by a third party. Moving beyond HIPAA compliance, and as is emphasized by most ethical codes for mental health providers and researchers, a clinician has to be attentive to the fact that an individual may be indirectly identifiable by a number of factors that may appear in the clinical record but that are not obviously PHI. For instance, rare medical conditions (e.g., a rare genetic disorder), atypical affiliations (e.g., a member of a very uncommon religious group, or a specific social or cultural affiliation), or physical anomalies (e.g., particular body modifications) may all convey sufficient information to identify the person related to the health information being conveyed. As our technologies advance, we also need to be aware that we now possess powerful tools of digital analysis that allow for cross-referencing of information and synthesis of data that may also pose some unforeseen threats to the confidentiality of clinical information that is transmitted and stored digitally. This is all something we need to keep in mind when working with clinical information that we wish to publish, transmit, or store electronically.
De-Identified Health Information:
Let’s turn now to what is not considered to be PHI.
Non-identified health information, also known as de-identified health information, is information that has been stripped of all the aforementioned identifiers, including ideally those indirect identifiers noted above. This makes it impossible in principle to determine the identity of the individual to whom the information pertains. De-identified data are not considered PHI under HIPAA, which allows for its use in larger data sets for research or public health purposes provided that the process of de-identification aligns with HIPAA standards. Understanding the distinction between PHI and non-identified health information helps mental health professionals navigate the tension between patient confidentiality and the broader uses of health data such as for research and/or public policy investigations.
This discussion of what constitutes PHI and de-identified health information is particularly important for clinicians who are making use of modern digital technologies to communicate with their clients and fellow health professionals, and to document their clinical work. With the advent of technologies such as Artificial Intelligence, clinicians now have access to powerful tools to help them integrate, formulate, convey, and write about complex clinical information with relative ease and efficiency. Use of these digital tools however comes with the inherent responsibility to try to foresee any potential negative consequences, security issues, or infringements on clinical privacy and confidentiality.
Note Designer’s Commitment:
With Note Designer’s entry into the age of AI integration, I look forward to working with you to ensure the highest standards of ethics and professionalism while providing the best possible mental health services to our clients and patients. Our plan is to always give the clinician the choice about whether and to what extent they wish to implement AI features while using our software. For those not interested in using AI, our Note Designer program will continue to help clinicians write their notes and reports using our professionally written statements that craft a coherent and well-organized narrative clinical record.
Happy Record Keeping 🔏
Patricia at Note Designer Inc.