TLDR; PHI needs to be simplified through extensive lists of examples.
Under HIPAA, healthcare organizations have been fined over $30 million for abusing PHI. With so much at risk, you would think that there is a very clear definition of PHI. But there isn't.
Instead of creating a definition of PHI, the HIPAA rule writers created a decision framework (or guidlines) to PHI. Chess champions are confused by this PHI decision framework.
Suppose a patient left a post-it-note on the receptionist desk. The note is intended for the doctor. If Kim wonders whether the post-it-note is PHI, she would have to work through the following decision framework for PHI. Buried in the Privacy Rule documentation, we find this framework:
Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Are Kim and the staff at Memphis Family Medicine expected to memorize this decision tree? It gets worse. There is more stuff to memorize. There are 18 more nodes to the decision tree. To determine if something is "inidividually indentifiable", Kim and her staff have to memorize 18 different rules covering things as varied as: automobile license plates, zip codes, website addresses, and biometric identifiers.
But wait! There is STILL more. Buried in the Security Rule documentation, there are further decision frameworks and interpretation:
The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.
Even though the first decision tree included the phrase "whether electronic, paper, or oral", this second ePHI specific decision tree has additional rules for electronic PHI but not for "PHI transmitted orally or in writing."
It is absolutely absurd to think that any small clinic can wade through these rules.
The HIPAA rule writers tried to create guidelines that are flexible and adaptable, but missed the mark.
Here are some suggestions to HHS for fixing this problem. Create lists of things that are PHI and are NOT PHI. Setup an email address where people can write in and ask if something is PHI.
In order to work around these confusing PHI rules, ClinicNerds invented the concept of PHI Hotspots. During the risk assessment, we work together with Kim to identify all of the people, places and things that contain PHI. If a person, place or things has PHI, we work to establish policies and procedures for safeguarding the PHI Hotspot. Every small clinic has a couple dozen PHI Hotspots. It is not hard to remember the list of PHI Hotspots. Kim and the staff just have to remember "Oh this is a PHI Hotspot, I need to remember to do x, y and z."
An example of PHI Hotspot is the fax machine. "Ok I'm gonna send a fax. Since the fax machine is a PHI Hotspot, I have to remember to use a cover sheet, verify the fax number, and call to confirm they received the fax OK." PHI Hotspots are not perfect, but they are better than the chess-champion-baffling-PHI-decision-frameworks.
October 11, 2017
By Bert Ryan