FAQ: HIPAA, PHI, and PII
What Type of Information is Considered PHI?
Names
Dates, except year
Telephone numbers
Geographic data such as address
Fax numbers
Social Security numbers
Email addresses
Medical record numbers
Account numbers
Health plan beneficiary numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plates
Web URLs provided by the patient
Device identifiers and serial numbers
Internet protocol (IP) addresses
Full-face photos and comparable images
Biometric identifiers (e.g. retinal scan, fingerprints)
Any unique identifying number or code
Medical bills and billing statements
What is Considered a Misuse of PHI?
Keeping nonsecure records containing PHI in unsecure data platforms
Data breaches caused by telehealth or EHR vendors
Stolen or lost devices containing PHI, including USB drives, hard drives, laptops, or phones
Data breaches involving malware, phishing, or ransomware
Disposing of documents and files containing PHI in a way that allows for unauthorized future retrievals or misuse, such as leaving a document containing PHI in a trash can or improper disposal of a hard drive containing PHI
Lack of HIPAA training for employees who come into contact with PHI
Sending PHI to the wrong patient or address
Misusing social media
Is Some PHI More Protected Than Others?
Yes, mental health treatment records and certain diseases such as HIV/AIDS are covered in an extra layer of protection and require additional permissions to release records.
What is a HIPAA Violation?
Any misuse of PHI is considered a HIPAA violation and is subject to fines and other penalties against a business or provider where a HIPAA violation has taken place.
Why are HIPAA Violations a Big Deal?
HIPAA breaches and violations create mistrust and can ruin a business’ reputation. Government fines for violations are exorbitant.
What if I Just Didn’t Know?
HIPAA is regulated by the Federal government, which can levy fines for committing HIPAA violations. “I didn’t know” will not protect anyone against this consequence. If you are ever even slightly unsure whether a piece of information or a document is PHI, or if an action or process is permissible under HIPAA regulations, ask before you do anything.
How Could I be Violating HIPAA Regulations?
Emailing any patient data outside of company email
Talking about patients using identifiable information outside of the work environment
Using social media to discuss any patient interactions
Storing patient names and phone numbers in your phone
Posting pictures of patients without written permission
Leaving a patient's record open on your computer while treating another patient
Allowing vendors access to PHI without a signed Business Associate Agreement
Not protecting your electronic devices such as your phone with passwords
Not securing a USB drive with patient data on it
Emailing spreadsheets with patient identifiable information
Leaving patient data accessible on your computer or laptop
Sharing or not protecting your login and password
Leaving PHI unattended at a public health screening.
Opening phishing emails leading to security breaches
Throwing away paper with patient PHI on it (instead of shredding it)
Can I Talk About Patients With My Friends or Family?
No, you cannot discuss any information about a patient with anyone except another caregiver or co-worker who needs information to support patient care or billing.
Can I take a Selfie With a Patient?
No, it is unprofessional and could be considered a violation of HIPAA rules.
What if the Patient is a Friend?
If a patient is your friend and you have their consent to take the photo, it is permissible to take a picture with him or her as long as you do not share the picture publicly and reveal that the friend is a patient.
Have Additional Questions?
Contact Zeel via in-app chat with any questions about HIPAA compliance, patient privacy, or information handling, and we will be glad to help you.