The 1996 Health Insurance Portability and Accountability Act (HIPAA) is complicated. Its consolidated text is over one hundred pages long and covers many topics. Of course, privacy is one of them, but not the only one- there are rules on technical standards for health records, rights to data portability, and so on.
Because the text is so complicated, it can be hard to understand some of the basic rules laid out in the HIPAA. This includes the very definition of protected health information (PHI). We are here to help.
What is PHI?
Protected health information - typically called PHI- is exactly what it says on the tin: health information protected under HIPAA.
This might seem trivial, but it isn't. The HIPAA is a sector-focused law that regulates healthcare providers and intermediaries such as payment providers. It tells these entities what they can and cannot do with medical information but does not provide general protection for medical data, which means that other entities can process such information without being bound to the HIPAA.
In other words, HIPAA only applies to certain data and companies. This is reflected in the very complicated way PHI is legally defined.
How is PHI defined?
The definition of PHI combines three distinct and cumulative requirements:
- it relates to the health conditions of an individual or the provision of health care (= it is health information)
- it relates to an identifiable individual (= it is personally identifiable information- PII for short)
- it is created by a healthcare provider or another entity covered by the HIPAA
The first requirement: health information
HIPAA only covers information related to an individual's health conditions or the provision of healthcare. For instance, this could be a diagnosis of a disease, a medical treatment that has been provided, or the fact that an appointment with a medical professional has been booked.
The second requirement: relating to an identified individual
All PHI is identifiable information. That is to say: it directly identifies an individual or can be reasonably used to identify them. This means it includes identifiers such as name, address, email, or unique identifiers (such as those often found in tracking cookies).
The third requirement: collected by a HIPAA-covered entity
Data only fall under HIPAA when collected by an entity that is itself covered by the law. As counterintuitive as it is, the exact same information can be PHI or not, depending on where they come from.
So who is covered by HIPAA?
- healthcare providers such as hospitals, individual practitioners, and pharmacies
- health insurance plans
- health data clearinghouses- that is, intermediaries for health data. This can sometimes include payment providers as well
Why does it matter?
The HIPAA contains a set of rules collectively called the Privacy Rule. These rules provide privacy and security standards regarding PHI, including strict disclosure limitations.
The rules on disclosure limitation are quite complex, but to grossly simplify:
- HIPAA-covered entities can always disclose PHI when this is needed to provide care, for the functioning of the healthcare system, or in other specific scenarios (for instance, because a law requires them to do so)
- all other disclosures require written authorization from the subject.
For instance, a hospital can forward treatment information to your insurance plan for billing purposes or send it to your new hospital so that medical professionals can better evaluate further treatment. On the other hand, they cannot sell your data to data brokers or disclose it to a third party for marketing purposes unless you authorize them to do so.
Understanding what data are and are not PHI is crucial. If you are covered by HIPAA, this does not mean that all the data you control is PHI! So the first step to complying with HIPAA is understanding exactly to which data the PHI does and does not apply.
For instance, hospitals need to process personally identifiable information about their employees to pay wages- but the HIPAA does not cover these data because they are not related to health care.
Not all cases are clear-cut, but the same rules apply all the time: information is only PHI if it is personally identifiable, relates to health or health care, and was collected by an entity covered by the HIPAA.
Does the HIPAA matter for web analytics?
Yes, it does. Web analytics services that rely on cookies and other tracking mechanisms can result in the unintended disclosure of PHI, for which a HIPAA-covered entity can be held liable. The HHS also clearly states that cookie banners do not count as a valid authorization under HIPAA.
This does not mean that you cannot implement tracking-based analytics tools in a HIPAA-compliant way. You can still do it if you carefully evaluate the content of your web pages and turn off any form of tracking wherever it could result in an unauthorized disclosure of PHI.
But this is burdensome, requires some degree of legal expertise, and may result in numerous pages of your website being excluded from your analytics entirely.
Final Thoughts
It’s important to understand whether or not you are covered by HIPAA and dealing with PHI. If you are, you must take the right steps to comply, which also affects business practices like website tracking.
Why do we care? We built Simple Analytics just for this reason. It's a privacy-friendly Google Analytics alternative that exclusively relies on non-personal data to provide you with all the insights you need about the performance of your websites and marketing campaigns.
We believe in a privacy-friendly Internet and do not use cookies, fingerprinting, or other tracking technology to spy on your visitors.
If you also believe in a privacy-friendly Internet, or if you are simply tired of dealing with the HIPAA and its compliance headaches, then feel free to give us a try!