What is Protected Health Information (PHI)? A Look at HIPAA and Beyond
In our interconnected world, personal data like names, addresses, and phone numbers are constantly collected, making privacy and data protection essential for our autonomy. This extensive data collection is governed by privacy laws worldwide. However, few people realize that health information, including medical records, is part of the data being collected and processed.
Our health-related information, which tracks physical and mental health, underlying conditions, and genetic diseases, contains some of the most intimate details about a person's life.
In this article we aim to discuss what health information is, how it should be protected, and what are some of the laws that set out requirements for its handling.
Which Laws Protect Health-Related Information?
Under the General Data Protection Regulation and laws formed after the GDPR, health-related information is classified as sensitive information. These laws require greater levels of security and consent from individuals before the information can be collected or processed.
In the United States, the Health Insurance Portability and Accountability Act (HIPAA) is the most famous law protecting patients’ health information but it is far from being the only law protecting such information. There are other laws such as the Health Information Technology for Economic and Clinical Health Act (HITECH), Genetic Information Nondiscrimination Act of 2008 (GINA), and state laws like the Washington My Health My Data Act and the Biometric Information Privacy Act of Illinois (BIPA), along with several different rules and regulations limiting how health-related personal information can be collected, stored, processed and disposed of.
What is Health-Related Information?
The exact definition may differ depending on legislation. However, in general, by ‘health-related information’ we understand any personal information about an individual’s health or disability and any information leading to assumptions about health or disability even when not directly identified.
What is HIPAA?
HIPAA, or the Health Insurance Portability and Accountability Act, is a landmark US law that went into force in 1996, establishing a national standard for safeguarding sensitive patient data. Over the years it has evolved into a law that protects the health information of individuals, making it more than just a law about medical records going digital.
HIPAA applies to a wide range of healthcare providers, from clinics and doctors to pharmacies, insurers, and health plans and ensures your medical information is handled with the utmost security and privacy.
What Protections Does HIPAA Offer?
The core of HIPAA is the Privacy Rule. It mandates covered entities to implement safeguards to protect your health information (called protected health information or PHI) and sets limitations on how it can be used or disclosed without your explicit consent.
HIPAA also empowers you with control over your PHI. You have the right to:
- Access and obtain a copy of your medical records;
- Request a covered entity to electronically transmit your PHI to a third party;
- Dispute and request corrections to your PHI.
When Can PHI Be Shared?
Generally, healthcare providers and institutions covered by HIPAA need your permission to share your PHI. Exceptions exist for situations where it's necessary for treatment, billing purposes, or when required by law.
This is just a brief overview. For a deeper dive into HIPAA and its comprehensive regulations, refer to our in-depth guide.
What Data is Protected Under HIPAA?
Protected Health Information (PHI) under the HIPAA is “information that can identify an individual that is in possession of or transmitted by a ‘covered entity’ or its business associates that relates to a patient's past, present, or future health.”
Examples of PHI include name, address, dates, phone number, email, social security number, medical records and references, and even IP address, when stored along with information that can reveal a patient’s health information or information about prescribed treatment or medications.
For example, IP addresses and any information about users collected by a website advertising post-cancer treatments or rehabilitation programs would be considered Protected Health Information.
What is Not Protected?
Information that does not identify an individual, such as statistics and anonymized information, is not considered PHI. Also, HIPAA only covers health data collected by specific healthcare entities, while data collected by non covered entities, including many applications and websites, are not afforded the same protection.
What is Valid Authorization Under HIPAA?
Although HIPAA doesn't specifically use the term "consent," it introduces "authorization" as your documented permission for specific ways your health information can be shared. It's important to understand the distinction between consent and authorization.
Authorization vs. Consent under HIPAA
- Authorization: This is your written permission for a covered entity (like your doctor) or their business associate to use or disclose your protected health information (PHI) for a specific purpose. You're not obligated to sign an authorization, and treatment can't be denied for refusing to do so.
- Consent: HIPAA uses "consent" for situations where your healthcare provider can use your PHI for routine healthcare activities like treatment, billing, or quality improvement efforts. You don't typically need to sign a separate consent form for these.
What Should a Valid HIPAA Authorization Include
A valid HIPAA authorization should clearly explain:
- The types of information being shared: This specifies what parts of your medical record are being disclosed.
- Who will receive your information: This identifies the specific person or organization your PHI is being shared with.
- When the authorization expires: This could be a specific date or when a certain event occurs (e.g., completion of treatment).
- Your right to revoke authorization: You have the right to withdraw your permission at any time. The authorization should explain how to do this.
Additionally, it should be easy to understand, written in plain language, and include an individual's name or unique ID so that they can associate their information with the authorization form.
Understand HIPAA consent: Business Associate Agreements vs. Individual Authorizations.
Beyond HIPAA: The Washington My Health My Data Act
As previously mentioned, HIPAA only covers health data that specific healthcare entities collect. Therefore, information collected by fitness trackers, applications, and websites, as well as through types of surveys that are not considered a HIPAA-covered entity or business associate, is not protected by HIPAA.
Recently coming into effect, on March 31, 2024, the Washington My Health My Data (MHMDA) is an example of a state law covering health information not covered by HIPAA.
The MHMDA casts a wide net when it comes to protecting your health information. Here's what it considers "consumer health data":
- Health conditions, treatment, diseases, or diagnosis;
- Social, psychological, behavioral, and medical interventions;
- Health-related surgeries and procedures;
- Use or purchase of prescribed medications;
- Bodily functions and symptoms;
- Diagnosis or testing and treatment;
- Gender-affirming care information;
- Reproductive or sexual health information;
- Biometric and genetic data;
- Precise location and any other information identifying a consumer seeking health care services.
The Washington My Health My Data Act applies to all entities in Washington that produce or provide services targeted to Washington consumers, even “small businesses.”
According to the text of the law, a small business is a business that
- processes the consumer health data of fewer than 100,000 consumers in a calendar year; or
- collects the data of fewer than 25,000 consumers and derives less than 50% of revenue from this data.
If you're a business operating in Washington and you deal with consumer health data, there are some rules you should keep in mind:
- Even if you're a small business processing data for fewer than 100,000 consumers in a year or collecting data for fewer than 25,000 consumers and making less than 50% of your revenue from this data, you'll need to be compliant by June 30, 2024.
- To follow the MHMDA requirements, you'll need to:
- Have a consumer health privacy policy that follows the MHMDA rules;
- Get explicit consent from consumers before collecting their information;
- Also get consent before sharing or selling information with third parties;
- Avoid using geofencing for advertising around healthcare facilities;
- Set up a system to handle consumer requests for accessing, deleting, or withdrawing consent;
- Ensure that any vendors you work with have agreements on handling data and are limited in how they can use and share it.
PHI protected by HIPAA, as well as medical records governed by the Washington health care laws, are exempt from MHMDA, along with
- publicly available information,
- anonymized information,
- information covered by
- the Gramm-Leach-Bliley Act (GLBA),
- the Family Educational Rights and Privacy Act (FERPA),
- the Fair Credit Reporting Act (FCRA),
- the Social Security Act, and
- Washington state insurance rules.
What is Valid Authorization Under the My Health My Data Act?
According to the Washington My Health My Data (MHMDA), covered entities have to obtain authorization from consumers to sell or share health information. The authorization must be written in plain language and include the following details:
- Specific consumer health data being sold;
- Name and contact information of the entity selling the information;
- Name and contact information of entity(ies) purchasing the information;
- Description of the purpose of the sale;
- A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
- A statement that the consumer has the right to revoke the valid authorization at any time, along with a description of how to submit a revocation of the valid authorization;
- A statement that the consumer health data sold under the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected;
- An expiration date for the valid authorization, which is one year from when the consumer signs it;
- The consumer's signature and the date.
An authorization is not valid if it has any of the following defects:
- The expiration date has passed;
- The authorization does not contain all the required information;
- The consumer has revoked the authorization;
- The authorization has been combined with other documents to create a compound authorization;
- The provision of goods or services is conditioned on the consumer signing the authorization.
Lastly, a copy of the signed, valid authorization must be provided to the consumer.
The seller and purchaser of consumer health data must retain a copy of all valid authorizations for the sale of consumer health data for six years from the date of their signature or the date when they were last in effect, whichever is later.
The My Health My Data Act gives individuals the right to take legal action against a company they believe has violated their rights. The Attorney General is responsible for ensuring compliance with the WMHMDA and considers a violation of the Act an "unfair or deceptive act in trade or commerce and an unfair method of competition" under the Washington Consumer Protection Act. Private individuals can enforce this violation in a similar manner as other alleged violations of the Washington Consumer Protection Act.
Key Takeaway
Protecting health-related information is crucial for maintaining individuals' privacy and autonomy. Laws such as HIPAA and other relevant regulations ensure that sensitive medical data is handled with the utmost care and security. Covered entities and business associates must understand and comply with these laws to safeguard patients' protected health information. By upholding these regulations, we can create a safer and more secure environment for managing personal health information.
How can Clym help?
Clym offers covered entities a comprehensive solution for managing HIPAA compliance effectively on their websites, with features that help you manage your patients’ privacy and offer accessibility in accordance with global regulations, including HIPAA. Because your website collects the protected health information of patients, you are required to have in place security measures. Here’s how Clym can assist with that:
- Cookie Consent Banner: inform your website visitors about the use of cookies and other online tracking technologies and obtain their informed consent for this. Our tool automatically identifies and categorizes cookies, allowing your website visitors to adjust their preferences at any time, providing a clear and compliant way to manage consent.
- Consumer Requests: give patients and visitors a simple way to request access, amendment, or deletion of PHI. Our compliance tool provides an automated workflow that ensures that these requests are managed promptly and effectively, maintaining compliance with HIPAA’s timelines and procedural requirements.
- Privacy Policy Management: Clym offers you a way to add, update, and manage your organization’s privacy policies that align with HIPAA’s standards, so you can clearly communicate all necessary information to patients, including how their PHI is used, disclosed, and protected. This way you show transparency and your compliance with HIPAA’s extensive documentation requirements is facilitated.
See Clym in action today!
Want to see for yourself? Speak to one of our experts today!
See Clym in action by booking a demo or contacting us to discuss your specific needs.
Asya is a data protection enthusiast with over 6 years of experience navigating the ever-evolving world of privacy regulations. Certified in CIPP/E and CIPT, she bridges the gap between legal requirements and technical implementation. At Clym, she aims to translate data privacy complexities into clear, actionable insights to empower individuals and organizations alike.
Learn More →FAQs on Protecting Health-Related Information
What is HIPAA?
HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a federal law in the U.S. designed to protect health insurance coverage for workers changing or losing jobs and to safeguard the privacy and security of health information. It includes the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, which establish national standards for handling Protected Health Information (PHI).
What is the Washington My Health My Data Act (MHMDA)?
The MHMDA is a state law effective March 31, 2024, covering health information not protected by HIPAA. It includes a broad definition of "consumer health data" and applies to entities operating in Washington that produce or provide services to Washington consumers.
What is health-related information?
Health-related information refers to any personal information about an individual’s health or disability and any data leading to assumptions about health or disability, even if not directly identified.
Which laws protect health-related information?
Several laws protect health-related information:
- General Data Protection Regulation (GDPR): Classifies health-related information as sensitive and requires greater security and consent before collection or processing.
- Health Insurance Portability and Accountability Act (HIPAA): A US law protecting patient health information.
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Genetic Information Nondiscrimination Act of 2008 (GINA)
- State Laws: Including the Washington My Health My Data Act and the Biometric Information Privacy Act of Illinois (BIPA).
What data is protected under HIPAA?
Protected Health Information (PHI) includes information that can identify an individual and relates to a patient's past, present, or future health. Examples include names, addresses, dates, phone numbers, email addresses, social security numbers, medical records, and IP addresses linked to health information.
What is not protected under HIPAA?
Information that does not identify an individual, such as anonymized data and statistics, is not considered PHI. Also, health data collected by non-covered entities, like many apps and websites, are not protected by HIPAA.
When can PHI be shared under HIPAA?
PHI can generally only be shared with your permission. Exceptions include situations necessary for treatment, billing, or when required by law.
What is valid authorization under the MHMDA?
Authorization under MHMDA must include details about the data being sold, the entities involved, the purpose of the sale, an expiration date, and the consumer’s right to revoke the authorization. It must be written in plain language and a copy must be provided to the consumer.
What are the compliance requirements for businesses under Washington's MHMDA?
Under the Washington My Health My Data Act businesses must have a consumer health privacy policy, obtain explicit consent before collecting or sharing data, avoid using geofencing for advertising around healthcare facilities, and handle consumer requests for accessing, deleting, or withdrawing consent.