Protected Health Information

All covered entities (which include medical records companies as well as physicians) need to understand exactly what Protected Health Information (PHI) is.

PHI is considered:

Individually well-known health information held or fed by a covered entity or its business associate

This includes any health information (which reaches to market data) that is related to:

Past, present or future physical or mental health condition

The health care provision

Past, present or future payments of health care by the person

The Privacy Rule

The privacy rule contains national standards for the protection of individually well-known health information. The rule, established in 2000, tries to make sure the individual information is appropriately protected. At the same time it has to allow the proper flow of health information necessary to ensure high quality health care and protect the well-being and health of the general public.

The rule requires privacy protection safeguards, sets limits on the uses of the information (if done without patient authorization) and implements patient liberties concerning their health information.

The Privacy Rule and How it Affects PHI

There are three main situations when PHI can be exposed according to the privacy rule:

As the Privacy Rule allows

If it is authorized on paper by the individual

As part of HHS compliance investigation, review or enforcement action

Permitted Use and Disclosure

Following are some ways PHI can be used without an individual’s authorization:

For treatment payment and health care operations

In an incident to an otherwise permitted use. This could happen if a hospital visitor overhears two doctors discussing an individual’s healthcare while they are deciding on treatment.

Public interest as required by court order, FDA, law enforcement or because of a legal issue

A finite data set is allowed for the purpose of research with a data use agreement

Covered Entities Notice of Policy Practice

Covered entities must provide sees of their privacy practice to include: PHI use and disclosure permitted and used; duties to protect privacy; a privacy practice notice; a liberties and grievance process if those liberties have been dishonored; and a point of contact for more information and to receive complaints.

The Notice of Privacy Practice must be distributed to each individual no later than the first service encounter. It needs to be finished a prompt subscriber and posted on the website of the covered entity.