The Health Insurance Portability and Accountability Act (HIPAA) encompasses “protected health information,” which has come to be referred to by the acronym PHI. This term is defined as “individually identifiable health information.” That term in turn is defined as information that:
(1) Is created or received by a health care provider . . . and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Giving the name of a person as a patient of a physician's practice comes within this definition of “individually identifiable health information” and thus constitutes disclosure of PHI. There is no need to refer to the patient's condition or treatment in this regard. This self-evident meaning is underscored by reference to the provisions of the rule that allow use of “de-identified” health information without a patient's authorization. One of the elements that must be removed is the patient's name.
Excerpt from John Zen Jackson et al., The Confidentiality of a Patient’s Name and “Protected Health Information” Under HIPAA, Health Lawyers Weekly, vol. 3, no. 5 (Feb. 11, 2005).
The basic tenant of HIPAA’s privacy-related concerns is that PHI not be used or disclosed unless the disclosure is authorized by the patient or specifically permitted by HIPAA. Information that cannot identify the patient in any way is not covered by HIPAA restrictions.
HIPAA permits PHI to be used without patient consent for treatment, payment or healthcare operations. The basic standard of HIPAA, however, is that the use of PHI must be limited to the minimum amount necessary to accomplish the purpose of the disclosure. An exception to this “minimum necessary” standard is where the disclosure is made for treatment purposes. Therefore, if a Covered Entity is disclosing PHI to another provider involved in the patient’s treatment, or is making an internal disclosure for treatment purposes, then HIPAA permits full disclosure in the interest of the patient’s safety and care. If the Covered Entity is using the information internally for payment or operational purposes, or disclosing information to other for any reason other than treatment purposes, then care must be taken to release only the information that is necessary. This means that, even within an institutional healthcare provider, access to patient information should be limited to those having a need to know the information. Consistent with the training requirement of the Privacy Rules, a providers’ workforce therefore needs to be trained to limit the sharing of information between staff.
Release of information for any purpose other than treatment, payment, and healthcare operations, may be made only with the patient’s specific authorization unless otherwise permitted by HIPAA. The disclosures permitted by HIPAA are generally related to disclosures required by law (such as mandatory reporting to state agencies), to law enforcement in special circumstances, and for certain litigation purposes. Providers may not condition the provision of services on the execution of such an authorization. Susan O. Scheutzow, Patient Care, in FUNDAMENTALS OF HEALTH LAW 59, 78 (American Health Lawyers Association 5th ed., 2011).
Excerpt from Susan O. Scheutzow, Patient Care, in FUNDAMENTALS OF HEALTH LAW 59, 78 (American Health Lawyers Association 5th ed., 2011).