Author:
mFax by Documo

What Personal Information is Protected Under HIPAA?

HIPAA, short for the Health Insurance Portability and Accountability Act, is a legal standard that was initially enacted in 1996 to protect the privacy and security of patients' health information. However, not all information is covered. Only protected health information (PHI), also sometimes referred to as personal health information, is protected under federal law.

Though HIPAA is considered the most important law that oversees the regulation of PHI in the US, it is intentionally vague in regards to not just what measures each healthcare facility or business associate must take to protect PHI, but also how it is defined. The law defines PHI as all data that relates to:

●      A patient's past, present, or future health

●      The provision of healthcare to patients

●      A patient's payment for the healthcare that he or she receives

According to HIPAA, any data that falls into these three categories must be protected both while it is in transit via services like cloudfax for healthcare and while it's at rest. It's also relevant to note here that HIPAA covers not just healthcare facilities like hospitals and clinics but also any other organization that handles PHI. Whether you work for a long-term care facility or a payment processor that provides patient billing services, it's worth taking the time to familiarize yourself with how PHI is defined and what steps your organization must take to protect it.

HIPAA's Information Identifiers

In an effort to further clarify what should be considered PHI, HIPAA lists 18 information identifiers that indicate data that should be given a protected status when it is paired with health information. Some of the identifiers can be considered PHI on their own, while others must be combined with additional identifying information. The official list of information identifiers includes:

  1. Patients' names
  2. Home addresses
  3. Dates related to individual patients
  4. Phone numbers
  5. Fax machine numbers
  6. Email addresses
  7. Social Security numbers
  8. Patients' medical record numbers
  9. The beneficiary numbers for health plans
  10. Patients' account numbers
  11. Providers' certificate or license numbers
  12. Identifying information about vehicles
  13. Identifying information about devices
  14. Web URLs
  15. IP addresses
  16. Biometric identifiers
  17. Photographs that contain identifying characteristics
  18. Other unique characteristics

Some of these forms of data, such as Social Security numbers or biometric identifiers, can be used to identify patients by themselves. Others must be combined with additional items to allow unauthorized persons to identify a patient. However, all of this data should be protected to ensure patients' privacy and data security.

Entities That Must Protect PHI

Covered entities are individuals or organizations that must follow HIPAA regulations, including the protection of PHI. Any person, business, or other organization that handles PHI is generally categorized as a covered entity and must follow both the security and privacy rules laid out in HIPAA.

Anyone could guess that both healthcare providers and insurers are covered entities. However, HIPAA's privacy and security rules also apply to all of these covered entities' business associates that handle PHI on their behalf. Examples of covered business associates can include health information exchanges, claims processing companies, hospital consultants, and even independent medical transcriptionists.

Any partner of a healthcare provider or insurer must sign a HIPAA business associate agreement. This agreement legally binds the partner to following HIPAA's Privacy and Security Rules and makes them subject to HIPAA audits, which are usually conducted by the US Department of Health and Human Services. Any covered entity or business associate that is determined to have violated HIPAA regulations can face steep fines, so it's always best to err on the side of caution.

Allowable Disclosure of PHI

Allowable disclosures of PHI are defined in HIPAA's Privacy Rule. The Privacy Rule stipulates that PHI may be disclosed only to ensure a patient's health and safety or after a patient has given consent to share the information.

Patients are also welcome to release their PHI for research purposes or when changing to a different doctor or healthcare network. Patients can offer informal consent or denial to disclose PHI to facility directories, members of the clergy, and for the notification of relatives and friends.

HIPAA also allows PHI to be disclosed without an individual's permission for 12 different reasons associated with the public good. A patient's PHI may be partially disclosed when:

  1. It's required by law.
  2. Authorized public health authorities need the information to prevent or control disease, injury, or disability.
  3. Government authorities need information about victims of domestic violence, abuse, or neglect.
  4. Health oversight agencies request the information for authorized purposes such as audits or investigations.
  5. It's in response to a court or administrative tribunal order, a subpoena, or another lawful process.
  6. It's required to enforce the law under certain circumstances.
  7. The patient dies and a funeral director, coroner, or medical examiner needs to identify the deceased.
  8. To facilitate cadaveric organ, eye, or tissue donations.
  9. Certain researchers request the information for authorized purposes.
  10. A serious threat to health or safety to the patient or the public requires the disclosure of PHI.
  11. PHI must be released to facilitate essential government functions.
  12. Workers' compensation laws or other programs require the release of PHI.

In most cases, only limited forms of PHI can be disclosed without a patient's consent, even when one of the situations above applies. The Privacy Rule limits the use of PHI and its disclosure to the minimum necessary to meet any of the requirements listed above. It's rare for a patient's entire medical record to be disclosed for a specific purpose.

Incidental Disclosure of PHI

HIPAA acknowledges that it's not always possible to prevent incidental disclosure of PHI. If PHI is disclosed accidentally as a result of another permitted disclosure, it wouldn't be considered non-compliant behavior on behalf of a covered entity. For example, if a business associate attends a meeting in a doctor's office for an allowable disclosure of PHI and sees a person he or she recognizes waiting for care, that's considered an incidental disclosure and neither the physician nor the business associate will face negative consequences.

It's still important for all of the employees working for covered entities to take care not to accidentally disclose PHI. The Security Rule requires the defense of PHI against reasonably anticipated threats. Information security officers need to implement not just technical safeguards for digitally transmitted or stored data, but also physical and administrative safeguards, which must include people-based approaches to security such as ongoing PHI awareness training.

Common Misconceptions About PHI

HIPAA was initially drafted in 1996 when most PHI was still stored and transmitted using paper documents. However, it still applies equally to digital data, which has created some misconceptions. It's common for business partners of healthcare providers to be confused about how they are supposed to handle PHI, for example. Even if a business partner handles only limited PHI, it's still responsible for following HIPAA's Privacy and Security Rules.

There are also some misconceptions regarding the Privacy and Security Rules. Many people assume that they always work together, so following one will automatically mean that the company is compliant with both. In fact, it's often the case that companies put security restrictions in place that fail to fully protect patient privacy. Failing to have all partners that handle PHI sign business associate agreements is the most common example.

Frequently Asked Questions About PHI and HIPAA Compliance

HIPAA's rules and regulations can be a bit complex, and its definition of PHI isn't exact. The lack of exact definitions and specific steps to take shouldn't be interpreted as an excuse for exercising leniency in the protection of PHI, though.

It's up to the security officers working for covered entities to get a good grasp on what PHI is, how it can be used appropriately, and how it should be protected to ensure HIPAA compliance, but all employees should receive training about how to handle PHI. Before starting employee training sessions, read on to find answers to some frequently asked questions that you'll almost certainly need to answer during the Q&A.

What's the Difference Between PHI and PII?

The difference between PHI and PII is that PHI (Protected Health Information) is used in a healthcare context, while PII (Personally Identifiable Information) is used outside of that context. The term Individually Identifiable Health Information (IIHI) is sometimes used to replace PHI, as well, since they mean the same thing.

Does PHI Have to Definitively Identify a Patient to Be Protected?

PHI does not have to definitively identify a patient to be protected. Any combination of identifiers is considered an example of PHI under HIPAA, even if that combination could apply to dozens of people.

Why Are Email Addresses Considered PHI Identifiers?

Email addresses are considered PHI identifiers even when they don't contain the patient's name because it's easy to look people up using their email addresses. Even if a reverse lookup tool doesn't provide an individual's name, chances are, an unauthorized party could still find out enough about the patient to determine who he or she is.

Protect Data in Transit and at Rest

Protecting data at rest is a task that can usually be handled in-house by your company's information security officer. However, HIPAA also requires all covered entities to take reasonable steps to prevent PHI losses and unauthorized access while data is in transit. The best way for you to protect PHI while it's in transit is to partner with a specialized company like mFax that already has advanced safeguards in place to ensure HIPAA compliance.

Table of Contents
Schedule your mFax Demo
User-Friendly Interface
Full-Featured Cloud Fax API
Reliable White-Label Fax Solution
Secure and Encrypted
Schedule Your mFax Demo

Recent posts

mFax by Documo
mFax by Documo

Navigating Business Associate Agreements: A Guide for Healthcare Organizations

6 Mins
July 8, 2022

Eight Reasons Why Healthcare Organizations Are Retiring Their Fax Servers

mFax by Documo
mFax by Documo

20 Lesser-Known HIPAA Violations and How to Address Them

8-10 Mins
December 10, 2024
mFax by Documo
mFax by Documo

Top 5 Features to Look for in the Best Online Fax Service

6 mins
July 3, 2024
mFax by Documo
mFax by Documo

The Ultimate Guide to Implementing a Secure Cloud Fax API

10 mins
June 26, 2024
mFax by Documo
mFax by Documo

mFax Security Measures and HIPAA Compliance

6 Mins
July 7, 2022
mFax by Documo
mFax by Documo

Things You Should Consider Before Signing a Contract

5 Mins
July 7, 2022
mFax by Documo
mFax by Documo

How to Securely Fax Medical Records to Maintain HIPAA Compliance

5 MIns
July 7, 2022
mFax by Documo
mFax by Documo

Safe Faxing Tips and Best Practices

5 Mins
July 7, 2022
mFax by Documo
mFax by Documo

6 Ways to Fax

4 Mins
July 7, 2022
Jack Hoover
Jack Hoover

Maximizing Data Security: Secure Cloud Faxing Strategies for IT Managers

11 mins
June 21, 2024
Phil Charron
Phil Charron

Administrative Burdens: The Reason US Healthcare Is Broken

4 Mins
June 11, 2024
Tony Cox
Tony Cox

How Does Cloud Fax Increase Revenue For Agents & Resellers?

3 Mins
June 7, 2024
Steve Chong
Steve Chong

What Role Does AI Play in Managing Healthcare Information?

5 Mins
May 24, 2024
Denis Whelan
Denis Whelan

Healthcare Interoperability, more than EHR to EHR

3 mins
May 8, 2024
Shane Fitch
Shane Fitch

How Do Product Managers Integrate Cloud Fax In Healthtech?

6 mins
April 2, 2024
Steve Chong
Steve Chong

What To Look For in a Cloud Fax Solution as a Reseller

9 mins
March 26, 2024
Denis Whelan
Denis Whelan

7 Key Considerations: Ultimate Cloud Fax Buyers Guide

10 mins
April 9, 2024
Sam Dorshorst
Sam Dorshorst

Enterprise Cloud Fax Implementation Pitfalls

9 mins
March 19, 2024
Matt Overlund
Matt Overlund

How OCR Fax Software Saves Healthcare Critical Time & Money

7 min
March 12, 2024
Jack Hoover
Jack Hoover

Need Reliable Faxing? Discover Effortless Online Solutions

8 min read
December 19, 2023
Jack Hoover
Jack Hoover

Faxing Made Easy: Send & Receive Faxes on iPhone with mFax

11 min read
November 29, 2023
Jack Hoover
Jack Hoover

Top Tips for Sending and Receiving Faxes via Email

5 min read
November 17, 2023
mFax by Documo
mFax by Documo

Fax Plus vs. mFax - A Comprehensive Comparison

5 min read
November 2, 2023
mFax by Documo
mFax by Documo

WestFax vs. mFax - A Comprehensive Comparison

November 2, 2023
mFax by Documo
mFax by Documo

OpenText vs. mFax - A Comprehensive Comparison

November 2, 2023
mFax by Documo
mFax by Documo

Concord vs. mFax - A Comprehensive Comparison

November 2, 2023
mFax by Documo
mFax by Documo

mFax vs. Retarus - A Detailed Comparison

5 min read
November 2, 2023
mFax by Documo
mFax by Documo

mFax vs. RingCentral - A Detailed Comparison

5 min read
November 2, 2023
mFax by Documo
mFax by Documo

mFax vs. Biscom - A Detailed Comparison

5 min read
November 2, 2023
mFax by Documo
mFax by Documo

mFax Versus iFax - A Detailed Comparison

November 2, 2023
mFax by Documo
mFax by Documo

mFax vs. eFax - A Detailed Comparison

5 min read
November 2, 2023
mFax by Documo
mFax by Documo

How can you securely fax HIPAA compliant in 2024? With mFax.

6
October 18, 2023
mFax by Documo
mFax by Documo

Free Fax Cover Sheet Templates

5
October 30, 2023
mFax by Documo
mFax by Documo

Top 10 eFax Best Alternatives | 2023

3 minutes
October 25, 2023
Brynna Carman
Brynna Carman

Part 2: ViVE 2023 Innovators

March 8, 2023
Brittany Woo
Brittany Woo

50 Must See HealthTech Innovators @ ViVE

March 8, 2023
mFax by Documo
mFax by Documo

Health Tech Innovator Profile: Phreesia

February 6, 2023
mFax by Documo
mFax by Documo

Comparably's Top Companies with Inclusive Cultures for Women

January 17, 2023
mFax by Documo
mFax by Documo

SOC 2 Compliance is Just Table Stakes for Vendor Evaluations

January 12, 2023
mFax by Documo
mFax by Documo

Documo Selected as 2022 Comparably Award Winner

November 30, 2022
mFax by Documo
mFax by Documo

What is Faxploit and How Can We Avoid It?

6 min read
July 11, 2022
mFax by Documo
mFax by Documo

Why Does Faxing Still Exist Despite Advancing Technology?

11 min read
August 15, 2022
mFax by Documo
mFax by Documo

How to Send a Fax in 2023: A Comprehensive Guide

7 min read
September 10, 2022
mFax by Documo
mFax by Documo

Why Is Fax Still Important in Financial Industries?

11 min read
September 15, 2022
mFax by Documo
mFax by Documo

Ultimate FAQ For Online Faxing

6 min read
September 15, 2022
mFax by Documo
mFax by Documo

Online HIPAA Fax Compliance in 2024: For Regulated Companies

June 30, 2022
mFax by Documo
mFax by Documo

Why Your Business Needs A Programmable Fax API

June 30, 2022
mFax by Documo
mFax by Documo

Why These 4 Industries Still Fax In 2020

July 5, 2022
mFax by Documo
mFax by Documo

VoIP vs FoIP - How to Choose the Best Service for Your Business

June 30, 2022
mFax by Documo
mFax by Documo

Why is HIPAA-Compliant Fax Crucial for the Healthcare Industry?

June 29, 2022
mFax by Documo
mFax by Documo

Why Fax is Better Than Email

July 6, 2022
mFax by Documo
mFax by Documo
Tech talk

What Personal Information is Protected Under HIPAA?

12
June 29, 2022
mFax by Documo
mFax by Documo

Vanilla Go Paperless Cupcakes

June 30, 2022
mFax by Documo
mFax by Documo

Ultimate Guide to HIPAA Fax

July 7, 2022
mFax by Documo
mFax by Documo

T.38 and the VoIP Fax Stigma

July 5, 2022
mFax by Documo
mFax by Documo

The Matter of Fax: A look at faxing in healthcare

July 7, 2022
mFax by Documo
mFax by Documo

The Limitations (and Even Dangers) of Free Fax Services

June 29, 2022
mFax by Documo
mFax by Documo

The Future of the Cloud Fax Market

June 29, 2022
mFax by Documo
mFax by Documo

The Evolution of Fax Technology

June 29, 2022
mFax by Documo
mFax by Documo

Partner Spotlight - Skyetel

July 7, 2022
mFax by Documo
mFax by Documo

Is Cloud Faxing Secure & Safe?

June 30, 2022
mFax by Documo
mFax by Documo

Interesting Fax Facts for People to Ponder

June 29, 2022
mFax by Documo
mFax by Documo

Online Signature Analysis: What Your Signature Says About You

June 29, 2022
mFax by Documo
mFax by Documo

Is it Safe to Fax Personal Information?

June 29, 2022
mFax by Documo
mFax by Documo

How to Protect Your MFPs from Security Breaches

June 30, 2022
mFax by Documo
mFax by Documo

How to Send an International Fax the Old-Fashioned Way

June 29, 2022
mFax by Documo
mFax by Documo

HIPAA-Compliant Faxing Made Easy with Innovaccer and mFax

June 29, 2022
mFax by Documo
mFax by Documo

Industries That Are Benefiting the Most from Online Faxing

June 29, 2022
mFax by Documo
mFax by Documo

How to Get a Fax Number Without a Phone Line

June 29, 2022
mFax by Documo
mFax by Documo

How the Elections Benefit from Online Faxing

June 29, 2022
mFax by Documo
mFax by Documo

How Emailing Private Docs Can Leave You Vulnerable

June 30, 2022
mFax by Documo
mFax by Documo

How Are These 6 Healthcare Orgs Utilizing mFax for Success?

June 29, 2022
mFax by Documo
mFax by Documo

How Cloud Fax Enables Healthcare Interoperability During Coronavirus

July 5, 2022
mFax by Documo
mFax by Documo

How Healthcare IT Teams Can Deliver Interoperability In 2020

July 5, 2022
mFax by Documo
mFax by Documo

How Do Cloud Faxes Work?

June 30, 2022
mFax by Documo
mFax by Documo

Beginners' Guide to Business Automation

July 5, 2022
mFax by Documo
mFax by Documo

HIPAA Fax Cover Sheet: A Secure Guide and Free Templates

June 29, 2022
mFax by Documo
mFax by Documo

Cloud Faxing: Top 5 Questions That You’re Guaranteed to Ask

June 30, 2022
mFax by Documo
mFax by Documo

HIPAA and The Cloud

July 7, 2022
mFax by Documo
mFax by Documo

Are Physical Fax Machines Putting HIPAA Compliance at Risk?

July 7, 2022
mFax by Documo
mFax by Documo

Healthcare Technology Trends to Watch Out for

July 7, 2022
mFax by Documo
mFax by Documo

Cloud Fax or Fax Server - How to Compare Solutions

June 30, 2022
mFax by Documo
mFax by Documo

5 Reasons Why Online Faxing is Important

June 29, 2022
mFax by Documo
mFax by Documo

Are You Losing 15% of Your Faxes?

June 30, 2022
mFax by Documo
mFax by Documo

5 Ways The mFax Solution Dominates The Financial Industry

July 6, 2022
mFax by Documo
mFax by Documo

5 Best Concord Cloud Fax Alternatives

June 29, 2022
mFax by Documo
mFax by Documo

4 Simple Ways You Can Quickly Improve Patient Retention

July 5, 2022
mFax by Documo
mFax by Documo
mSign me up

Advantages and Disadvantages of Online Faxing

June 29, 2022

Get in touch with our US based team of fax experts

We'll help you assess your fax needs and determine the best solution for your business.

+1 (888) 966-4922
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.