Mentor Research Institute

Healthy Contracts Legislation; Measurement & Value-Based Payment Contracting: Online Screening & Outcome Measurement Software

503 227-2027

What is Protected Health Information in Psychotherapy Practice?

The Brief defines protected health information (PHI) under federal law. 

"The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information" (PHI).

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,

  • the provision of health care to the individual, or

  • the past, present, or future payment for the provision of health care to the individual,

and identifies the individual or there is a reasonable basis to believe it can be used to identify the individual.

Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number, etc...).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Dis-Identified Health Information

Data are "individually identifiable" if they include any of the 18 types of identifiers for an individual or for the individual's employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual. There are 18 identifiers.

  1. Name

  2. Address (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code)

  3. All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)

  4. Telephone numbers

  5. FAX number

  6. Email address

  7. Social Security number

  8. Medical record number

  9. Health plan beneficiary number

  10. Account number

  11. Certificate/license number

  12. Any vehicle or other device serial number

  13. Device identifiers or serial numbers

  14. Web URL

  15. IP address

  16. Finger or voice prints

  17. Photographic images

  18. Any other unique identifying number, characteristic, or code

A critical point of the Privacy Rule is that it applies only to individually identifiable health information held or maintained by a covered entity or a business associate acting for the covered entity.

Individually identifiable health information held by anyone other than a covered entity, including an independent researcher who is not a covered entity, is not protected by the Privacy Rule and may be used or disclosed without regard to the Privacy Rule.  This is why psychotherapists need to implement Business Associate Agreements (BAA).  There may, however, be other Federal and State protections covering the information held by these entities that limit its use or disclosure.

References

Key words: Supervisor education, Ethics, COVID Office Air Treatment, Mental Health, Psychotherapy, Counseling, Patient Reported Outcome Measures,