top of page

The following data has been collected from publications on the web and
is credited by URL and available by a link in their entirety below each bold heading.

What is PHI?

https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/amp/

PHI is any health information that can be tied to an individual, which under HIPAA means protected health information includes one or more of the following 18 identifiers. If these identifiers are removed the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.

  1. Names (Full or last name and initial)

  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000

  3. Dates (other than year) directly related to an individual

  4. Phone Numbers

  5. Fax numbers

  6. Email addresses

  7. Social Security numbers

  8. Medical record numbers

  9. Health insurance beneficiary numbers

  10. Account numbers

  11. Certificate/license numbers

  12. Vehicle identifiers (including serial numbers and license plate numbers)

  13. Device identifiers and serial numbers;

  14. Web Uniform Resource Locators (URLs)

  15. Internet Protocol (IP) address numbers

  16. Biometric identifiers, including finger, retinal and voice prints

  17. Full face photographic images and any comparable images

  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

​

Covered Entities

https://privacyruleandresearch.nih.gov/pr_06.asp

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.

Researchers are covered entities if they are also health care providers who electronically transmit health information in connection with any transaction for which HHS has adopted a standard. For example, physicians who conduct clinical studies or administer experimental therapeutics to participants during the course of a study must comply with the Privacy Rule if they meet the HIPAA definition of a covered entity.

 

Health Plan – With certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). The law specifically includes many types of organizations and government programs as health plans.
 

Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “valueadded” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
 

Health Care Provider – A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
 

Health Care – Care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

 

 

​

Penalties for HIPAA violations

https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

​

  • ​Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules. Minimum fine of $100 per violation up to $50,000

​

  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules) Minimum fine of $1,000 per violation up to $50,000

​

  • Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation. Minimum fine of $10,000 per violation up to $50,000

​

  • Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation. Minimum fine of $50,000 per violation

bottom of page