Descriptions of what is considered HIPAA-protected health information (PHI) have been around since the enactment of the Health Insurance Portability and Accountability Act in 1996. Congress did not enact specific privacy legislation after HIPAA was passed, so the Department of Health and Human Services (HHS) issued regulations such as the HIPAA Privacy Rule in 2002 and the HIPAA Security Rule in 2003.
The HIPAA Privacy and Security Rules are extremely broad rules that cover a lot of territory. Today we want to focus on the definition of protected health information and some new issues, specifically tracking technologies, for each health care provider, health plan, and their business associates.
In this Article …
- The Definition of Protected Health Information
- What is the Right of Access for Patients to their PHI?
- How is Protected Health Information De-identified?
- HIPAA Rules and Tracking Technologies
- What is Considered Protected Health Information Related to Online Tracking Technologies?
- What About Tracking on User-authenticated Web Pages?
- Tracking on Unauthenticated Webpages
- Tracking on Mobile Applications
- What are the Next Steps for Covered Entities Concerning Technology Trackers?
The Definition of Protected Health Information
Protected health information is defined as “individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media whether electronic, paper or oral.”
Of course, this definition rests on the definition of individually identifiable health information, or IIHI. The Privacy Rule defines IIHI as information, including demographic data, that relates to:
- the individual’s past, present, or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
There are some exceptions to this definition of PHI. Protected health information does not include any personal health information maintained in employment records by a covered entity in its capacity as an employer, and certain education records defined in the Family Educational Rights and Privacy Act (20 U.S.C. §1232g.)
What is the Right of Access for Patients to their PHI?
In general, individuals have a right to review and obtain a copy of their PHI in a covered entity’s designated record set. This is a group of records maintained by or for covered entities used to make individual decisions. The records can be medical records/billing records maintained by health care providers. They can also be health plan records of enrollment, claims payment, and claims adjudication.
A few types of records are exempt from this right of access, including psychotherapy notes, information compiled for legal proceedings, and clinical laboratory and research records.
How is Protected Health Information De-identified?
The first way personal health information can be de-identified is by removing all specified identifiers of the individual and of the individual’s relatives, household members, and employers. This method, referred to as the safe harbor method, requires the removal of a long list of identifiable characteristics associated with the individual and/or family members. Some are pretty common, others less so. They include:
Names- All geographical data smaller than a state
- Dates (other than year) directly related to an individual
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plate numbers
- Device identifiers and serial numbers
- Web URLs
- Internet protocol (IP) addresses
- Biometric identifiers (i.e. retinal scan, fingerprints, Etc.)
- Full-face photos and comparable images
- Any unique identifying number, characteristic, or code
NamesIt should be noted that the identifier has to be associated with the individual’s PHI, for instance, contained in a designated record set of the individual. Or the identifier must otherwise be matched to the individual in some way in the records of covered entities or a business associate acting on behalf of a covered entity. This includes records of use of healthcare provider websites or other applications. A further qualification is that covered entities or their business associates must have no actual knowledge that the remaining information could be used to identify the individual.
The second way to de-identify PHI is via a determination by a qualified statistician. The statistician must decide that the risk is minimal that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information. The statistician must also document his or her methods and analysis. The Office for Civil Rights (OCR) of the Health and Human Services Department provides guidance on this method, which is good since it is subject to critique by OCR in the event there is an unauthorized disclosure.
HIPAA Rules and Tracking Technologies
OCR has just updated its guidance on the privacy of protected health information and online tracking technologies. OCR originally came out with this guidance in December 2022. It issued a revision to the guidance on March 18, 2024.
Just what are tracking technologies, anyway? These are methods used to collect information from us as we use applications on our cell phones and look at websites. Covered entities like healthcare providers and health plans typically engage some type of technology vendor to analyze the information – website visits, requests for information on economic and clinical health topics and so much more – that individuals enter when querying an application on a phone or website. In many cases, the information being gathered by, and exposed to a third-party health information technology vendor, is protected health information, according to OCR.
OCR acknowledges there are benefits to the use of tracking technologies utilized by covered entities. The point of employing tracking technologies is to perform analytical studies on users’ information. These studies may help healthcare providers identify healthcare trends in patient preferences or needs for specific healthcare services in the local area. But OCR is also concerned about issues such as misinformation and identity theft. Health data from patients also cannot be used in marketing efforts without authorization. It is also concerned about disclosure of PHI to the technology vendor that is not in compliance with HIPAA regulations.
What is Considered Protected Health Information Related to Online Tracking Technologies?
The first test determines if a third-party technology vendor is receiving individually identifiable health information. At the very least, a tracking application may capture the user’s IP address or specific geographic location, which are identifiers on the list above.
OCR maintains that a user need not have an existing relationship with a covered entity. Simply connecting a user’s IP address to a user’s past, present, or future health, healthcare, or payment for healthcare is enough to make the data collected PHI.
What About Tracking on User-authenticated Web Pages?
Requirements under the Privacy Rule are a little higher when tracking involves individuals who log in to a covered entity’s portal or similar application. In these cases, individuals are more likely to provide or create protected health information. This could include listing medications, making appointments with a specific healthcare provider, or accessing health information related to their specific diagnoses or conditions.
When this type of electronic protected health information is shared with a third-party technology vendor, healthcare organizations must ensure they comply with both the HIPAA Privacy and Security rules. This means, among other things that the covered entity must have a business associate agreement with the third-party technology vendor to share protected health information.
Tracking on Unauthenticated Webpages
At least some of the time, the information accessed or other actions by users would not be considered protected health information. OCR gives examples of users inquiring about employment opportunities or students doing research for term papers as the types of inquiries that do not result in PHI being generated. This is true even if the tracking technology is recording geographic location and IP addresses.
On the other hand, if a user is seeking medical information related to their current physical or mental health services or conditions, that inquiry or action may constitute PHI.
Of course, this distinction seems to require healthcare providers and health insurance companies to divine the motivations of individuals accessing and using websites and mobile applications.
Tracking on Mobile Applications
OCR’s guidance for a HIPPA-covered entity offering applications for users to submit or track their health data is similar to the guidance related to webpages. To the extent that a third-party technology vendor has access to the patient data entered by users into its application when the application is offered by a HIPAA-covered entity, the information is PHI.
But when a user voluntarily enters personal healthcare data into an application that is not offered by a covered entity, the information is not PHI.
What are the Next steps for Covered Entities Concerning Technology Trackers?
At the end of this latest guidance, OCR notes it is prioritizing HIPAA compliance with the Security Rule whenever it investigates the use of tracking technologies. Given this orientation, here are some steps covered entities should evaluate.
- Make sure the PHI disclosed to the technology vendor meets the Minimum Necessary Standard, and that the vendor is not engaging in unauthorized marketing based on the data it receives from tracking the use of your website or mobile applications.
- Implement a business associate agreement with your tracking technology vendor.
- Make a note of the use of a technology tracking vendor in your Notice of Privacy Practices. OCR notes that cookie notifications are not valid HIPAA authorization.
- Incorporate an evaluation of the use of tracking technologies into your HIPAA Security Rule Risk Analysis and Risk Management process. Make sure your technology vendor’s administrative safeguards, technical safeguards, and physical safeguards address the security of the PHI they are creating or maintaining on your behalf.
- Ensure your breach notification policies apply to unauthorized disclosures related to a third-party tracking technology vendor.
- And always remember when the OCR comes to audit based on a complaint, they look at your Privacy Rule and Security Rule policies and practices from top to bottom, not just the part of the rules that caused them to come for a visit!
HHS is being sued by the American Hospital Association (AHA) and others over this guidance. The AHA lawsuit contends HHS is exceeding its statutory and constitutional authority, and violates the requirements for rule-making. It is also inconsistent with the way HHS uses tracking technologies on its own web pages. Each covered entity should evaluate its use of tracking technologies while staying tuned to the legal cases growing out of this effort by OCR to enforce HIPPA regulations.