[Transcript] Episode 419: What You Must Know About Protected Health Information

 

Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records. Meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello, and welcome to Episode 419: What You Must Know About Protected Health Information.

 

Liath Dalton 

Another exciting topic that everyone is just dying to dive into no doubt. Actually, this is one of the most important topics and considerations to have in terms of being able to really fulfill the mandate, both the ethics mandate and the HIPAA mandate, of safeguarding client information. So it’s important to have a precise understanding of what actually constitutes Protected Health Information or PHI, and what the difference is between less identifiable and deidentified, in terms of what constitutes PHI.

 

Liath Dalton 

And so that ends up then really providing the basis for being able to make correct decisions about safeguarding client info. Basically, the reason for that being that why what is PHI, and what is not PHI matters so much is that because whatever is PHI is within HIPAA’s scope. That means HIPAA applies all the standards apply to that information and how that information is handled. If something is not Protected Health Information, it is outside HIPAA’s scope, and HIPAA does not apply.

 

Liath Dalton 

That means that the HIPAA standards don’t have to be implemented for how that information is handled. So that’s why it matters so much. But it can really set up a practice for significant mistakes in terms of how they’re safeguarding client info, if they’re not correctly identifying what is PHI, and what it’s not PHI.

 

Liath Dalton 

And what’s a good example, Evan, that you would would give have a common misconception, miscategorization of something that’s not PHI, that then leads to standards not being applied?

 

Evan Dumas 

Oh, man, there’s so many of these. Some top hits that come to mind are people saying, oh, initials are just fine. It’s not PHI because you couldn’t identify someone from it, or you just see it cursorily. Some people also say, you know, I’m emailing my clients about scheduling, but we don’t include health information. So that’s not really PHI, because it’s just like, hey, you’re running five minutes late, things like that.

 

Evan Dumas 

Another real popular one is, oh, I’ve got a code system where every client has a number associated with them. And we just use those numbers to like to identify people, and that’s not PHI because that’s, you know, not health, not names.

 

Liath Dalton 

Mhm.

 

Evan Dumas 

Those things so those are like the big three, but I’ve seen it in a lot of different ways. People just misunderstanding what’s you know, obfuscating or hiding ish, and what’s totally deidentifying.

 

Liath Dalton 

Exactly, and I’ll tack on one more there, which is that initial contact, so,

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

before a clinician client relationship or provider patient relationship has been established, thinking that those initial contact communications, when someone’s inquiring about establishing services are not PHI and therefore, that it’s outside of HIPAA’s scope, and then you know, that the systems you’re using for handling those communications and that information don’t have to be HIPAA compatible.

 

Liath Dalton 

That’s another main main one that we see come up, that can be pretty consequential in terms of HIPAA compliance. I appreciate, Evan, that you’re talking about the difference between deidentification and less identifiable. And there is an experience that you have had that just about everyone else that we work with has had too, so what would you share about that?

 

Evan Dumas 

Yeah, it’s it’s that I feel I was taught wrong in grad school, or more, more accurately, grad school told me that having you know, initials on things is fine. It is, you know, they didn’t use the word deidentifying, they just use the word of like, oh, yeah, it’s it’s maintaining their confidentiality or whatnot.

 

Liath Dalton 

Mhm.

 

Evan Dumas 

So in my mind, I took it Oh, initials are fine, initials aren’t client information. And that sort of blurred its way into Oh, HIPAA must be fine with initials, because that’s deidentifying. But grad school didn’t really teach anything about HIPAA. That was, that they – we didn’t have time for it, there was so much other stuff to cover.

 

Evan Dumas 

So that I, a lot of folks I’ve found that I’ve talked to and risk analyses, have just been taught wrong, either by their community mental health agencies they worked at or their grad programs about what is and what isn’t PHI. And it seems like no one did it from the HIPAA lens. Everyone did it from the ohh, yeah, protect client safety in general, but not through like, oh, wow, 18 identifiers, well, we never covered that. So that’s, that’s a gap.

 

Liath Dalton 

Right. And I think where that comes from, is because the primary framework or orientation is around ethical standards and principles being being applied and followed. And that’s where the confidentiality piece comes in. But it’s confidentiality in one sense, but not in the HIPAA sense of things. And so we do need to have clarity, that they are not interchangeable. That something being less identifiable will can still have a huge amount of utility for protecting client info. But it does not mean that it is deidentified and therefore outside of HIPAA’s scope.

 

Liath Dalton 

And so that just then informs that, yes, your your calendar with client appointments, if it is a electronic calendar, you need to have a HIPAA Business Associate Agreement with the service provider for your your calendar, service, and functionality.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

If you’re syncing your EHRs Scheduling Calendar with a another calendar service, like a Gmail calendar, then it needs to be with a calendar that is tied to a Google workspace account with the BAA in place, for example.

 

Liath Dalton 

So that’s sort of how the the dominoes fall once we correctly identify something, then we know what the implications are. So I actually think this is one of the most useful conceptual pieces to have in place because it really becomes a North Star for making making decisions and takes a lot of the guesswork and therefore anxiety around risk exposure out of things.

 

Liath Dalton 

So, Evan, you’ve referred to the 18 identifiers.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And and we will be including in the show notes, a link to a list of all those 18 identifiers. And basically the recipe for what constitutes Protected Health Information is personally identifying information, which is what those 18 identifiers are referring to, plus health information, where health information is about any healthcare services, or payment for healthcare services, past, present, or future. Future, I am intentionally emphasizing that piece. And that is held by a HIPAA covered entity or a Business Associate of a HIPAA covered entity in the course of the covered entity’s healthcare operations. Right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So what does that actually mean? Essentially, the, the easiest way to distill that down is that if you are holding identifiable information about a prospective client, or a current client, or  a past client. So that’s where we got the past, present, or were or future component, that it is health information by virtue of your holding it, as a HIPAA covered entity.

 

Liath Dalton 

So even if it’s something that is just related to scheduling, so not something that contains diagnosis, information, or even specific treatment information, because it is related to obtaining health care services, from you, or your practice, as a health care provider, and HIPAA covered entity, that in and of itself renders that information, Protected Health Information.

 

Evan Dumas 

Yep.

 

Liath Dalton 

Which then the consequences of that just mean, it’s in HIPAA’s scope and HIPAA standards need to be applied.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

I think one thing that we see end up causing issues, is the ways in which, understandably, you know, wanting to reduce risk, oftentimes wanting to reduce expense, as well, that folks will work hard to make something less identifiable to, to their understanding of what makes it not PHI.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So that it’s outside of HIPAA scope, and then they can be handling it in different systems.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Right, where they don’t have a HIPAA Business Associate Agreement. But it’s an area that can also lead to reduced efficiencies and effectiveness and errors as well. And we’ve seen that, for example, come up with folks using team communication platforms, for example, that won’t do HIPAA Business Associate Agreements. So I’m actually referring to Slack at the moment because that’s the most ubiquitous one, but saying, Okay, we know we can’t get a HIPAA BAA. So, team when you’re communicating about, you know, client needs or whatever, just use initials and don’t use full client names. And then the clients get misidentified.

 

Liath Dalton 

And that’s, that’s easy to to happen, particularly in a group practice context, right, the likelihood of having clients with the same initials. It goes up significantly when you have one more than more than one clinician in a practice. So then sometimes, like Evan said, people will have other systems of creating their own codes, rather than like a medical record number specifically, and having, I’ve actually seen this firsthand before, having a whole spreadsheet system, that’s the master key for all those identifier codes. Um, a huge thing to try and administer and it also doesn’t take it out of HIPAA’s scope or or make it not, not PHI. Evan, can you share the little bit about the codes specifically, as well?

 

Evan Dumas 

Oh, yeah, it’s that these codes are used to identify people. And I get a lot of pushback when saying, hey, but wouldn’t that mean, they’d also have to get access to the code list or whatnot? And you’re like, yes, but let’s assume that they did. And are you using it to identify them? Like, yes, well, then, boom, you just said it’s an identifier. You know, if you just say I’m seeing a client, you haven’t named the client, you haven’t given any information. That’s not identifying. So I, you know, advise that when you say, Hey, I’d like to consult about a client and you don’t give any more info you, do it when it’s a safe system. But if you say I’d like to consult about client XYZ, and the other person knows who XYZ is, boom, you identified them. Even if someone who interprets and translates gets the message, they’d need that list, it’s still, an identifier. Still counts.

 

Liath Dalton 

Right.

 

Liath Dalton 

Basically, if it’s something that you can use to identify a client, which is what makes the information useful in your practice operations for you and your team, if you’re able to identify the individual who this is in relation to, that means it’s PHI. It is not de identified under HIPAA standards.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Does it still make sense to use the least amount of identifiable information to perform a particular function related to the provision of health care services? Yes, that’s why HIPAA itself has the minimum necessary standard, including within the TPO, or Treatment Payment Operations exceptions related to what constitutes authorized disclosures, but it still is within HIPAA’s scope.

 

Liath Dalton 

And I think it provides a lot of peace of mind to just be kind of applying that lens of, if it’s something that I am able to identify who it is referring to or belongs to, then it is PHI, and it is within HIPAA’s scope.

 

Evan Dumas 

Mhm, yep.

 

Liath Dalton 

And make sure that the team has, when we’re in a group practice context, I think this is one of the most essential pieces of information to impart to your team, and ensure that folks really do have a accurate and thorough understanding of it and how to apply it. Because it also then is going to inform the decisions that they make in day to day operations. And we have seen therapy practices where a clinician may not have this correct understanding, and therefore think it’s okay to be forwarding client emails to their personal email account, for example, because they’re purely about scheduling, and not about actual diagnoses and treatments specifically.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Or, this is another one that’s come up in in group practice Office Hours recently, actually, was clinicians taking notes in their own little notepad app, that were then auto forwarded to their personal email.

 

Evan Dumas 

Oh, yeah, yeah.

 

Liath Dalton 

And they weren’t using the client names in them, aware that there was some exposure here, but even included the entire session note.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Right. So they were saying it does have specific identifiers pulled from the list of 18 identifiers, however, the context of the information in the note is clearly still Protected Health Information for that clinician because they are able to identify who exactly who that that session note is for.

 

Evan Dumas 

And it might actually be one of the identifiers because towards the end, there’s that one that says any unique identifying number or characteristic, and so characteristics of clients count as PHI, which is the the one mind blowing one.

 

Liath Dalton 

Right, and that is a really important point to highlight, Evan, and ties into something that has come up a lot in our conversations with Eric Strom, the HIPAA and teletherapy attorney and clinician, and with Maelisa McCaffrey, as well, who’s a documentation expert, which is as we are seeing the really rapid adoption and proliferation of AI programs and and their their use in a health care setting that, that kind of to two important points from that.

 

Liath Dalton 

One that in the current information age, it is much more readily possible for information to be reidentified, for connections between seemingly disparate data to easily be made, including by the, the neural networks and the AI programs. And so that is something that health information system security experts and HIPAA attorneys in particular, have had concerns about in the era of AI.

 

Liath Dalton 

And that’s that even if you are very consciously keeping the lips, each of those items from the 18 identifiers, out. If there is any information related to the client, and like Evan said, any characteristics. Which, how do you write a session note,

 

Evan Dumas 

Yep.

 

Liath Dalton 

without there being a reflection of of session characteristics, that that then is going to have to inform the decisions we make about what systems are deemed appropriate to utilize in connection with any client info.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So that’s, that’s something that I think is particularly important to have clarity around as you very well may be getting more and more questions from your team members about using AI and what is and isn’t permissible in terms of how they do that when it comes into contact with with client info in any way.

 

Liath Dalton 

And the second part of the what constitutes PHI piece from from all of this is very much just emphasizing the the context of any conversation being something that technically really does fit under the 18 identifiers.

 

Liath Dalton 

And so we don’t want to just gloss over what each of those is, is actually comprised of. And one of the other most important pieces to to know about the 18 identifiers is that any part or derivative of one of the 18 identifiers is not deidentified, not considered deidentified.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Which I’ll say this is something that you want to be mindful of when you’re evaluating HIPAA Business Associates. Two, because it is something that we have actually seen come up in, in a couple different instances, both in terms of Business Associate Agreements that come up with their own definition of what is and isn’t PHI in there for what is and isn’t going to be protected by the business associate that is not actually accurate, or more concerningly, in this age of terms and conditions being being updated, and the you know, very valuable commodification of health data, in particular, that companies are saying we are we have this treasure trove of information of healthcare information that’s so valuable that we’re handling. We know it’s subject to HIPAA, but if we’re, if we deidentify it, then it’s not in HIPAA’s scope, and then we can, you know, utilize that that commodity to profit off of it or to improve our services in some sort of obtuse way that they can never really describe.

 

Liath Dalton 

To date that we’ve seen how they would do that. But then the the issue that has has come up is saying that they will you apply the Safe Harbor method of deidentification, which if true, if actually followed properly, that means that information is totally okay to be utilized in in whatever way that it’s not subject to HIPAA. And the issue though, is that there have been some service providers that have said, but initials are okay, we use the Safe Harbor method, but initials are okay.

 

Evan Dumas 

No.

 

Evan Dumas 

[Laughing]

 

Liath Dalton 

Evan, what’s one of our favorite facts from HHS?

 

Evan Dumas 

Uh, initials are not okay. Initials are identifying.

 

Liath Dalton 

Basically, it’s a just a question of our initials okay? And the answer: no. Any part or derivative is not deidentified. So that’s just, important piece to keep in mind at this whole context.

 

Liath Dalton 

So hopefully this is has been helpful in terms of clearing up some of the common misconceptions that have understandably arisen in in terms of how we think about this, and then connecting with it in a here’s why it’s so useful to have a correct understanding of this and how it can support your your practice in a really beneficial way. So thank you for joining us and check out the resources in the show notes section and we will catch you good folks next time.

 

Evan Dumas 

Yeah, talk to you next time everybody.

 

Liath Dalton 

This has been Group Practice Tech, you can find us at PersonCenteredTech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.