webinarsbreadcrumb separatorhipaa-ecommerce-guidelines-and-resources-part-4-phi-ephi

Clarity Venture's President and CEO discusses electronic protected health information, including what is and what isn't considered ePHI.

Part 4 of a 13-part series (Return to Part 3)

CHRIS: I think the other key highlights on the HIPAA Privacy Rule are getting into what the requirements are behind the Privacy Rules. One of the first things is to look at basically what information you need to protect. And I think if you just continue to scroll down on that page, you'll see it's essentially boiling down to this: PHI, or protected health information, is individually identifiable health information.” And what is that? Well, “it's information, including demographic data that relates to the individual's past, present, or future, physical or mental health condition, the provision of health care to the individual or past, present or future payment for the provision of health care.” 
 
So we're basically talking about past, present, or future of mental health or physical conditions, as well as payments. And then any provision of health care. Those are sort of the three big things, and it continues to say “that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual associated with that data.” 
 
This is really implying the de-identification aspect of HIPAA data, which is really a nuance that we won't spend a lot of time on today. But the main point is, what are these pieces of data that are referred to as PHI? And if you have a good understanding of that, then you can really stop worrying about it and actually do something and know concretely, this is actually what I need to do. 
 
That's really our goal from this set of information, is for you to be able to take action on the right things and get to the source of truth as opposed to worrying about it. So Ron, any thoughts on these HIPAA PHI areas or maybe any examples that you might want to give or elaborate on here? 

what is hipaa

RON: Yeah, thanks, Chris. That makes a lot of sense. I'm glad you read that, because this is the whole thing, right? It's past HIPAA covered information, too, because a lot of times people have this misconception where of, “I'm only taking their name, address. I don't have a lot of other information.” Now, if you're not trying— most people could go Google my name and they could find me or Chris up on YouTube, and find us on LinkedIn and Facebook and things like that, right? So our name is not considered [protected] information.  

But if our name is tied to anything about a physical or mental condition about us, then that name could be used to identify the person they're talking to. So if we're talking about, if somebody goes, “Patient X has this condition, they're living at this address,” well then that address could be used. Even though the address as a standalone is not PHI information, it falls under the umbrella now of protected information because that address could be used to identify the individual they're talking about that medical case or that health condition. And this is where everybody falls down: the name, the address, the birth date, and Social Security number. 
 
One of the things Chris mentioned, he just barely mentioned de-identification data. But one of the things that you can do is think about clinical trials when you go to—we've got a number of different HIPAA compliant websites that we've built for people that have got FDA approval for medical devices, and then they've done clinical trials. And those clinical trials are published for everybody in the world to go see. 
 
But why can they do that when they see that 100 patients who had cancer and they were treated with this drug and 84 responded and the ones with the placebo, only 13 responded. Why can they do that? Well, the reason is because they've de-identified [anonymized] the information. They've either called them patient 1 through 100, or they haven't individually numbered them, and they've generically aggregated the information and said, “Out of 100 people within the study, 50 received the placebo, 50 received the drug. Of the 50 that received the drug, 47 were cured of the ones that fit the placebo, only 13 were cured.”  

So now there is a measurable, you know, 3X capability to be healed using this drug. And that information is the helpful information that the people are mostly interested in. They don't really care who the people were that attended the clinical trials. So they took that information about the trial, which was about a hundred individual people that had this particular health condition, and they scrubbed the ID information from that, not the medical information, but the ePHI data. And that's what we call de-identification.  

So, Chris, any last thing on the privacy rule before we move on to the next rule? 

CHRIS: Yeah, I would say, in general, you're going to want to go through the actual nuances of what you're supposed to do with the Privacy Rule. Again, we have a detailed video that goes over that. Ron, you did a great job of hitting on several of the core concepts from a high level. The biggest thing that we want to say is it is not that hard to go through this summary of the rule and it really will help you to rest. 
 
We literally have a video linked where we highlighted everything and went through to walk you through step by step. So if you're interested in doing that with us, come along and join us and we'll walk you through it hand in hand, if you will. And with that said, Ron, yeah, I would love to move on next to the HIPAA Security Rule

Continue to Part 5 to learn about the HIPAA Security Rule.

Recent Search

HIPAA Compliance AngularJS Web Development ERP Sage Integrations Microsoft Dynamics Xamarin Framework Comparison Essential Website Features

Top Searches

B2B Supply Chain Management WooCommerce Integrations Catalog Product Tags Top B2B eCommerce Challenges Epic Integrations Optimizing Mobile Apps