Questions? Call (855) 670-8780 or email   Visit us on LinkedIN  

Healthcare Data Breaches: PHI beyond the Scope of HIPAA


January 20, 2016



hipaa-beyond.pngIn quick summary of the discussions through the blog series so far, PHI is individually identifiable health information that is held or transmitted by a Covered Entity or Business Associate. PHI can be any form or medium: electronic, paper, or oral and can include demographic information and relate to an individual’s past, present, or future physical or mental health or condition, the individual’s health care services received, or the payment status for those health care services.

Now, let’s discuss what PHI falls outside the scope of the HIPAA/HITECH requirements.

Although the HIPAA/HITECH requirements only apply to Covered Entities and Business Associates, it’s important to note that PHI may be redefined as personally identifiable information (PII) that applies to MANY different types of entities and different scenarios in which this information is used or disclosed for business purposes.

Exclusions to the definition of PHI as stated above, are education records (covered by the Family Educational Rights and Privacy Act), records as described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a Covered Entity in its role as an employer.

PHI also ceases to be considered PHI, and thus not protected under HIPAA, when certain elements are removed from this sensitive information. This is called de-identification of protected health information. There are two scenarios in which this occurs:

  1. When used by a person with appropriate knowledge and expertise of generally accepted statistical and scientific principles and methods for rendering information not individually identifiable. This person can only apply such principles and methods when it is determined that there is a very limited risk that the information could be used, alone or in combination with other information, to identify an individual subject of the information.
  2. An entity decides to remove the 18 identifiers mentioned in an earlier blog. The entity could then choose to re-identify the information using a code or other means of record identification. The code or other means of record identification must not be derived from information about the individual and cannot be translated so as to identify the individual (a.k.a re-identification).

Apart from the exclusions listed above and the options of de-identification, there are organizations out there that may handle sensitive information that may seem to be PHI on the surface. However, because these organizations do not fall under the definition of a Covered Entity or Business Associate, the information they possess does not reach the necessary standard of what it takes to be considered protected health information.

The information they work with may nonetheless still be considered sensitive information, and thus fall under the scope of other requirements related to PII. Proper controls should be implemented to protect any sensitive information these organizations may use or disclose.

In continuation of the blog series, our next blog post will be out the first week of February and will discuss where PHI is coming from and who the key players are under HIPAA/HITECH.

I will continue to post regularly until the HIMSS16 convention in Las Vegas that begins February 29th. I look forward to continuing to share my thoughts with the health care security and privacy community.

If you have any questions regarding the healthcare information requirements or would like a HIPAA or HITECH compliance audit quote, please contact us at




Maria-2.jpgMaria Sanchez is a Privacy and Security Professional at CompliancePoint working with Covered Entities and Business Associates in a variety of industries. She is committed to guiding customers through effective assessments covering the Security, Privacy, and Breach Rules from HIPAA/HITECH. Maria has a B.A. in Political Science and Sociology from Georgia State University and a J.D. from Florida Coastal School of Law. As an attorney, Maria concentrated her studies in international and comparative law. As a Privacy and Security Professional, Maria has earned her Healthcare Information Security and Privacy Practitioner (HCISPP) certification and Certified Information Privacy Professional for the US and Europe (CIPP/US and CIPP/EU) certifications.





Topics: Protected Health Information, HIPAA, Covered Entities, Business Associates, Health Information, Privacy, PHI, HITECH, Data Breach, Security, HIMSS16, Personally Identifiable Information, De-identification, Health care, PII

Subscribe to Our Blog Via Email

Recent Posts