PHI and Rights
Protected health information is data about a person and the healthcare they receive. It should be kept private from other people unless the Privacy Rule allows them to see it or the person agrees to share it.
PHI includes individually identifiable health information created or received by a covered entity (CE). It is personal data that is spoken, written, or in electronic form.
Individually identifiable health information relates to any of the following:
A person's past, present, or future physical or mental health or condition
Any healthcare given to a person
The past, present, or future payment for healthcare given to a person
- Provide an NPP the first time they provide a service. If not in person, provide the NPP electronically.
- Have the individual respond in writing that they received the NPP.
- Post the NPP in an easily seen area and provide a copy when asked. Provide in different languages as needed.
- Update the NPP when the law or policies change. Make updates available to all individuals receiving care.
The Privacy Rule explains how to follow the law when using, sharing, and protecting PHI.
There are only certain circumstances when a mental health professional is allowed to share a person's mental healthcare notes without the person giving their approval.
An individual has the right to decide if they want to be in the facility directory. If they decide not to be in the directory, then no one can give out their data.
A mental health professional documents mental healthcare notes during a counseling session. The notes are for the professional's personal use. They are not used for any other purpose.
Information in a person's medical record includes their diagnosis, symptoms, treatment plan, etc. This information can be shared according to the Privacy Rule.
There are times when CEs can use and disclose PHI without permission from the individual:
The minimum necessary standard
The Privacy Rule includes the minimum necessary standard. This standard says that a CE has to do its best to use, disclose, and request only the minimum amount of PHI to meet the purpose of the use, disclosure, or request.
CEs have policies and procedures in place to limit uses and disclosures to the minimum necessary. Healthcare staff should refer to their policies and procedures for guidance before sharing data.
Access to PHI is restricted based on a person's job within their organization. Healthcare workers should only access the PHI they need to do their job.
Healthcare staff should share only the minimum necessary data. If anyone has a question about it, they should speak to their manager or the privacy officer.
Reasonable reliance
Reasonable reliance
All CEs have to follow the minimum necessary standard. Because of this, it would make sense that a CE (e.g., a lawyer who is a business associate) would know to only ask for the minimum necessary data. However, they may simplify a request by asking for an entire medical record instead of just the parts they need.
It is good practice to ask them if they need certain identifiers in the data they request. These include data like dates of birth or Social Security numbers. If they do not need them, they should be removed. This will help meet the minimum necessary requirement. This will also ensure both CEs are in compliance.
De-Identification of PHI
De-Identification of PHI
Healthcare data is studied and compared to help improve healthcare and outcomes. To do this, data about people from many healthcare organizations may be collected and analyzed. The de-identification standard tells organizations which data should be removed from PHI. This helps protect each person's privacy during this process.
There are two ways that a person's identifying data can be removed:
- A qualified expert such as a scientist can determine if data is free of identifying information.
- Use the safe harbor method, which is the removal of a list of data that might identify a person.
Extreme Risk Protection Orders
An extreme risk protection order (ERPO) is a court order that stops a person who can cause harm from getting guns. This person might put themselves or others in danger.
Police, family members of the individual, and healthcare providers might need PHI to ask a court for an ERPO.
Here are some examples of when a healthcare provider would be allowed to share PHI for an ERPO:
A CE gets a court order asking for PHI to support an ERPO. The CE can only share the PHI approved by the court order.
A person wants an ERPO because their spouse talked about shooting them with a gun. Their spouse has been getting mental healthcare. The Privacy Rule allows the therapist to share the minimum necessary PHI to support the ERPO.
A CE can provide PHI for an ERPO application in response to the following:
Court orders
An administrative tribunal
A legal group that settles conflicts between individuals and the government
A subpoena
A document ordering a person to show up in a legal courtBreaches
A breach is when someone gets, looks at, or shares PHI with others against HIPAA rules. Breaches harm the security or privacy of PHI. Examples of breaches include the following:
- A healthcare worker's car was broken into while they were in a store, and their work laptop was stolen.
- A healthcare worker talks about a person in their care while in front of other people in their care.
- A healthcare worker faxes parts of a medical record to the wrong number.
A set of rules to run a business, called policies and procedures
A policy that makes sure a CE does not discipline someone who makes a complaint
Instructions for making a complaint
A person who makes sure people follow the Privacy Rule
Training for the staff
An explanation of what to do when someone does not follow the rules
A way to deal with anything bad that happens from sharing PHI
Ways to keep data safe
When a breach occurs, a facility determines if it puts a person at risk or not. These three exceptions to the definition of breach help organizations figure this out:
- When a staff member or someone working for a covered entity or business associate (BA) accidentally gets, sees, or uses PHI in good faith and within their authority
- When someone who is allowed access to PHI by a CE or BA accidentally discloses PHI to another person who also is allowed access by the CE or BA, as long as the PHI is not further used or disclosed against the Privacy Rule
- When PHI is disclosed to a person who is not allowed access, but the CE or BA believes in good faith that the person who received it would not be able to retain the information
A staff member receives and opens an internal email from a nurse containing an individual's PHI. The nurse sent this email to the staff member by mistake. The staffer realizes the email has been sent by mistake, deletes it, and tells the nurse sender.A nurse speaking on phone and using a computer.- n example:
A staff member receives and opens an internal email from a nurse containing an individual's PHI. The nurse sent this email to the staff member by mistake. The staffer realizes the email has been sent by mistake, deletes it, and tells the nurse sender.
In this situation, the privacy officer may say that the person whose PHI was breached does not need to be told. This is because the staff member:Was allowed to access the PHI.Recognized it was not meant for them to see.Lessened the risk by deleting the message and telling the nurse who sent it.
In this situation, the privacy officer may say that the person whose PHI was breached does not need to be told. This is because the staff member:
- Was allowed to access the PHI.
- Recognized it was not meant for them to see.
- Lessened the risk by deleting the message and telling the nurse who sent it.
When a breach occurs, a facility determines if it puts a person at risk or not. These three exceptions to the definition of breach help organizations figure this out:
A discovery request
A legal document to request a person to hand over certain data
Other legal action
