What is Protected Health Information (PHI)?
Personally identifiable information (PII) is frequently confused with individually identifiable health information. Some PII elements like personal names and social security numbers can be found in medical records but they are not health information. Protected health information (PHI) is the hybrid of medical record/health information and PII. Some examples include: patient’s past, present or future physical or mental health conditions; provision of health care to the patient; or past, present, future payment for the provision of health care to the patient.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect patient medical records and other personal health information. The standards apply to health plans, health care clearinghouses, and health care providers who conduct certain transactions electronically. There are also required safeguards around the protection of personal health information as well as limits on the use of such information and disclosures. Patients are provided rights over their health information, including rights to examine and obtain a copy of their health records. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
PHI Use and Redistribution
Quite obviously, PHI can be used by the provider for the purpose of the individual patient’s care and disclosed to other providers for the same purpose or disclosed to health insurance companies for payment purposes. PHI data may also be disclosed in limited, non-medical purposes such as disclosure to a public health or government authority, workers compensation programs or tissue/organ transplantation without the patient’s authorization if legally required. These secondary disclosed are very “as necessary”/”as needed” and must be limited to the minimum PHI.
The Rule prohibits selling PHI or using it for marketing purposes unless a written authorization is obtained from the individual patient and all parties in the data chain for a specific purpose.
De-Identified Health Information
There are currently no restrictions on the use or disclosure of de-identified health information. De-identified data does not identify a patient or provide any reasonable basis to identify a patient. The two ways by which information is de-identified includes: 1) a formal review by a qualified statistician or 2) the complete removal of any specific identifiers (both of the individual patient and relatives, employers, household members).
PHI and Healthcare Claims Datasets
Healthcare claims data is high on the alternative dataset list for investment funds. Third-party data vendors offer data on procedure, diagnosis and prescription volumes; payor claims data on millions of patients; CPT/HCPCS codes; average charges per claim for specific ICD-10 codes; and general landscape of facilities in need of equipment or supplies.
The process by which healthcare data is cleansed is a sophisticated one outlined under HIPAA. Prior to redistributing healthcare data of any kind, a vendor must ensure that that the outlined de-identification standards are met prior to sharing such information with third parties. On the investor side, even if data is confirmed to be de-identified, there still needs to be an additional cleansing that occurs prior to the data being analyzed by investment teams.