As a healthcare marketer, you understand the challenge of balancing marketing strategies with the sensitivity of Protected Health Information (PHI). With digital tools on the rise, the risk of exposing and mishandling PHI has grown significantly, putting you at way bigger risk of hefty fines, reputation damage, and losing patients’ trust. Less than ideal!
Accidents like these often happen more by mistake than on purpose. It’s easy to accidentally mishandle a patient’s sensitive data if you’re not clear on what isn’t considered PHI under HIPAA. Plus, the line between PHI and non-PHI data can be pretty subtle. The more you understand this, the better you’ll be at avoiding HIPAA violations.
To avoid being fined for reasons like this, keep reading to remove any confusion about what counts as PHI.
To know what is not considered PHI under HIPAA, you must first know what PHI is.
Simply put, PHI is any personal health information that can be used to identify someone. It includes data like names, addresses, phone numbers, dates, or Social Security numbers.
But it’s not just about medical record data. PHI covers a wide range of identifiable details, including conversations about your symptoms and even digital pieces like IP addresses that can be linked back to you.
Under HIPAA, it’s important to keep PHI protected and secure to ensure your patients’ privacy and stay compliant.
Another critical step in understanding what’s not considered PHI under HIPAA is getting to know HIPAA identifiers. These are specific parts of information that can identify an individual and fall under HIPAA protection.
HIPAA identifiers include:
Now that you know what PHI is let’s see what it isn’t.
There’s a lot of information that can be tied back to patients. However, not all health-related information counts as PHI. Here’s what’s typically not considered PHI under HIPAA:
An employer’s information as part of their role isn’t considered PHI.
This covers employment records, sick leave details, health insurance enrollment forms, and fitness-for-duty reports.
Records protected by the Family Educational Rights and Privacy Act (FERPA) aren’t considered PHI.
This includes health data in student education records, like immunization records or details about a student’s disabilities.
What is also not considered PHI under HIPAA is data that doesn’t have any identifiers linking it to a person.
For example, a dataset with names, addresses, and other identifying information removed can be used for research or analysis without breaking HIPAA rules. This is also one of the principles of a privacy-centric approach in healthcare marketing.
Information collected by consumer health apps that can’t lead to healthcare providers or plans usually isn’t covered by HIPAA regulations.
For instance, a fitness tracking app that logs your steps but is not connected to your healthcare provider is typically not PHI.
Health information publicly available through sources such as news reports or public health disclosures isn’t PHI.
So, if a public health agency releases data on a disease outbreak without personal identifiers, it doesn’t count as PHI.
Suppose people take care of their own health records without involving a covered entity, like a healthcare provider or health plan. In that case, that info doesn’t fall under HIPAA.
A good example is a personal health record kept by a patient on their computer or in a notebook.
If you’re collecting and using health information exclusively for research purposes, especially when de-identified, it’s generally not considered PHI.
However, if research data can be linked back to a person, it might fall under HIPAA regulations.
If you discuss with your coworkers at a local café the cardiac issues one of your patients has with her name, this is definitely a HIPAA violation. Or, if you take the name out of shared medical records, you could still face HIPAA fines since those records have other info that qualifies as PHI.
Misunderstanding what counts as PHI can lead to serious issues. Beyond risking patient privacy, misidentifying PHI can also expose you to hefty fines and damage your reputation. These fines can be significant and tough to deal with, sometimes reaching a few million dollars.
What is it and what is not considered PHI under HIPAA is especially important in digital analytics.
Google Analytics 4 (GA4) and Google Tag Manager (GTM) are irreplaceable digital tools for analyzing your patients’ behavior for marketing purposes and can capture PHI. Why is that a concern? Because it leads to a HIPAA violation. These tools aren’t HIPAA compliant by default, and Google isn’t eager to sign the Business Associate Agreement to make it happen.
Misunderstanding what counts as PHI can accidentally lead to data issues with these tools. To stay compliant, it’s important to really grasp HIPAA regulations and set up these digital tools to prevent capturing or sending PHI. But how?
To avoid misinterpretations about sensitive data like what isn’t considered PHI under HIPAA, try HIPALYTICS.
We ensure your GA4 and GTM can’t capture any PHI by anonymizing that data before it hits these tools and keeping it secure on private servers in the US. This way, GA4 and GTM become HIPAA-compliant tools, so you can enjoy valuable analytics without worrying about HIPAA violations.
To keep our service liability-free for you, we sign the BAA and stay updated on the latest HIPAA and analytics news.
Don’t let the complexity of PHI hold you back from getting the most out of your marketing. We’re here to help with that.
