What Compromised Information Constitutes a HIPAA Breach?

What Compromised Information Constitutes a HIPAA Breach?

Q. The Code of Federal Regulations, specifically 45 CFR 160.103, defines protected health information (PHI). Is the following information PHI?

A practice sends a patient a letter that includes the patient's name and address, patient number, admission date, account balance, and the practice's name; alternatively, the practice sends a letter that includes the patient's name and date of birth, patient number, date of service, medical record number, and the hospital's name. If one of these letters is sent to someone other than the patient, is this considered a breach of PHI that requires patient notification?

A. Pursuant to 45 CFR 160.103, PHI is considered individually identifiable health information. A strict interpretation and an "on-the-face-of-it" reading would classify the patient's name alone as PHI if it is in any way associated with the practice. CFR states that PHI includes demographic information received by a healthcare provider and relating to the provision of healthcare. If the name of an individual is associated with practice and the practice-provided healthcare, it is demographic information and is considered PHI.

The additional information confirms that the content of the letter is PHI even though the letter does not specifically mention the health condition of the patient.

The regulation does not require a data set to include a certain number of identifiers to be considered PHI. It specifically states that if the information identifies an individual, it is PHI.

The information included in the two example letters is clearly PHI. Sending the letter to the wrong individual would be considered a breach of unsecured PHI. After conducting a risk assessment to determine whether sending the letter to the wrong individual will cause harm to the affected patient, the practice would be responsible for determining whether to notify the patient. The practice must document its actions regardless of whether the incident is a notifiable breach (45 CFR 164.400 164.414).