Questions? Call (855) 670-8780 or email   Visit us on LinkedIN  

Healthcare Data Breaches: PHI beyond the Scope of HIPAA


January 20, 2016



In quick summary of the discussions through the blog series so far, PHI is individually identifiable health information that is held or transmitted by a Covered Entity or Business Associate. PHI can be any form or medium: electronic, paper, or oral and can include demographic information and relate to an individual’s past, present, or future physical or mental health or condition, the individual’s health care services received, or the payment status for those health care services.

Now, let’s discuss what PHI falls outside the scope of the HIPAA/HITECH requirements.

Although the HIPAA/HITECH requirements only apply to Covered Entities and Business Associates, it’s important to note that PHI may be redefined as personally identifiable information (PII) that applies to MANY different types of entities and different scenarios in which this information is used or disclosed for business purposes.

Exclusions to the definition of PHI as stated above, are education records (covered by the Family Educational Rights and Privacy Act), records as described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a Covered Entity in its role as an employer.

PHI also ceases to be considered PHI, and thus not protected under HIPAA, when certain elements are removed from this sensitive information. This is called de-identification of protected health information. There are two scenarios in which this occurs:

Read More

Topics: Protected Health Information, HIPAA, Covered Entities, Business Associates, Health Information, Privacy, PHI, HITECH, Data Breach, Security, HIMSS16, Personally Identifiable Information, De-identification, Health care, PII

Violación de Datos Médicos: PHI más allá del alcance de HIPAA


January 20, 2016



En resumen rápido de los debates de la serie del blog, hasta ahora, PHI es información de salud individualmente identificable que se lleva a cabo o se transmite por una Entidad Cubierta o Afiliado Comercial. PHI puede ser cualquier forma o medio: Electrónico, papel, o verbal y puede incluir información demográfica y relacionarse con la condición médica o salud mental pasada, presente o futura de un individuo, servicios de atención médico recibidos por un individuo, o el estado de pago de dichos servicios médicos.


Ahora, vamos a discutir que PHI queda fuera del alcance de los requisitos HIPAA / HITECH.

Aunque los requisitos HIPAA / HITECH sólo se aplican a Entidades Cubiertas y Afiliados Comerciales, es importante tener en cuenta que PHI puede ser redefinida como información de identificación personal (PII) que se aplica a MUCHOS tipos de  entidades y escenarios en los que esta información es utilizada o divulgada para fines comerciales.

Read More

Topics: HIPAA, PHI, HITECH, HIMSS16, Entidades Cubiertas, Cuidado de la Salud, Violación de datos, Des-identificación, Información de Identificación Personal, PII, Información de Salud, Seguridad, Privacidad, Información protegida de salud

Subscribe to Our Blog Via Email

Recent Posts