Individually identifiable information collected ormaintained by a Covered Entity
- Can be oral or written
- Can be in any medium (electronic, printed, recorded)
- Includes simple demographic data
– just the fact that someone is your patient/plan member is PHI
- It’s still PHI if someone could reasonably figure out who the individual subject is.
- Sometimes a judgment call but best to be conservative
As per HIPAA guidelines following may receive PHI about an individual.
- The individual (must disclose)
- Anyone who has been authorized by the individual
- Anyone who is the individual’s Personal Representative
- Governed by state law but typically guardians, agents underPowers of Attorney, estate executors,
- Parent of an unemancipated minor EXCEPT if the minor has the ability to consent to the treatment (typically relates tomental health, substance abuse treatment and other sensitiveissues such as abortion and birth control.
- State law governs here. Know your state’s laws regardingPowers of Attorney, guardianships and executorships.
- Providers involved in the treatment of theindividual
- State and Federal agencies performing healthoversight activities (CE is permitted, but not required, to disclose unless state law requiresdisclosure).
- Other CEs when the disclosure is necessary tofacilitate Treatment, Payment or Health Care Operations