Physician Learns A Hard PHI Lesson

Wednesday, April 20, 2011

Rebecca Herold

65be44ae7088566069cc3bef454174a7

News broke  this week about a physician in Rhode Island, at the Westerly Hospital, who was sanctioned for posting protected health information (PHI) on her Facebook page: 

The board found Alexandra Thran, of Westerly Hospital, guilty of unprofessional conduct after she recounted some of her emergency-room experiences on Facebook, according to a news release by the state Department of Health.

The board said she did not use the names of patients, and did not intend to disclose confidential information, but the nature of the injuries of one patient allowed an unauthorized third party to figure out who it was, the board ruled.

The panel said that Thran deleted her account as soon as she learned what had happened. The board issued a reprimand and told Thran to pay a $500 administrative fee.

What is important to point out about this case is that the doctor described the patient’s injuries in such a way, and were so unique, that an unauthorized third party (e.g., the public) would be able to identify the person that Dr. Thran was describing, even though she did not include any of the 18 specifically-named PHI items. 

When considering PHI, most healthcare providers, healthcare insurers, and healthcare clearinghouses (collectively referenced as covered entities, or “CEs”), and now their business associates (“BAs”), must certainly consider the following 19 information items that are listed within the HIPAA Privacy Rule, with “genetic information” being added to the original list in 2009 as a result of actions related to the Genetic Information Nondiscrimination Act (GINA), as being PHI since they are the elements that must be removed from a health record in order to be “de-identified.” 

They include:

  1. Name
  2. Geographic subdivisions smaller than a state
  3. Dates (excluding year) of:
    1. Birth
    2. Admission
    3. Discharge
    4. Death
  4. Telephone number
  5. Fax number
  6. E-mail address
  7. Social Security number
  8. Medical records numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. License and certificate numbers
  12. Vehicle identifiers (such as license plate number)
  13. Device identifiers (such as serial numbers)
  14. URLs (Internet Universal Resource Locators)
  15. Internet Protocol (IP) addresses
  16. Biometric identifiers (such as finger and voice prints)
  17. Full face photographic images (and any comparable images)
  18. Genetic information
  19. Other unique identifiers that can be attributed to a specific individual

Note #19!

Something to keep in mind is that PHI generally means the same thing as “individually identifiable information,” which is defined within HIPAA as follows:

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Taking the 18 specifically-named items into consideration, in addition to the catch-all #19 item, and the specific definition of “individually identifiable health information,” it is then important, when considering what PHI is, to know:

1) the type of entity that created the information; and

2) if the information can be reasonably linked to a specific individual.

This last item is something few CEs and BAs consider.  Dr. Thran apparently probably didn’t think about whether or not the information she posted to her Facebook page could be linked to a specific individual.  But, now she has learned the hard way that she does indeed need to consider this.

Many, and possibly most, CEs and BAs only worry about the 18 specific PHI items, but they also need to ensure their personnel understand that ANYTHING, if it can be linked to an individual, should be considered as PHI.  This is a good example of such a case. 

It also points out the importance of having good policies that cover posting information online in general, and on social media sites in particular.

Cross-posted from Privacy Professor

Possibly Related Articles:
15383
HIPAA
Healthcare Provider
HIPAA Compliance PHI HITECH Healthcare Personally Identifiable Information Covered Entities Business Associate
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.