HIPAA

PII vs. PHI

  • 1.  PII vs. PHI

    Posted 05-29-2020 02:26 PM
    Need some guidance.  We are looking at an information kiosk for our retirement community.  The kiosk would give our residents information about our community and events going on.  There's also an app that families and employees can access to find out about events.​  The kiosk and app would also allow users to access our resident directory (residents names, room numbers and phone numbers).  When I questioned the company regarding the HIPAA aspect, their response was that they do not transmit, maintain, store, or create any PHI. All of the data in the resident directory is PII which does not fall under HIPAA. They said that they built the app under PII guidelines and that nothing in there would fall under PHI.

    Thoughts on this?

    ------------------------------
    Ellen Rooney
    Compliance Director
    BR
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: PII vs. PHI

    Posted 05-29-2020 02:53 PM
    Ellen,
    If your facility is a Covered Entity, under HIPAA, then i would think this PII may well be PHI. If you are not a Covered Entity or Business Associate of a Covered Entity, then it would not be PHI. However, you may have State regulations and statutes, or Licensure/contracts that may affect the classification of the data, that you may have to consider here too.

    ------------------------------
    David Rothery, CHC, AWI-CH
    Compliance & Privacy Officer
    Health & Human Services
    Marin County, CA


    These are my personal opinions and not those of the County of Marin
    ------------------------------

    19th Annual CEI Virtual Conference


  • 3.  RE: PII vs. PHI

    Posted 05-29-2020 06:05 PM
    I would agree with David R. that if you're a covered entity then that information is PHI.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: PII vs. PHI

    Posted 05-29-2020 06:21 PM
    If you are acovered entity it is PHI and covered as such under HIPAA. Your savings throw might be the directory exception, depending on your policies and procedures, and your Notice of Privacy Practices.



    Sent from my Verizon, Samsung Galaxy smartphone



    19th Annual CEI Virtual Conference


  • 5.  RE: PII vs. PHI

    Posted 05-29-2020 06:48 PM
    Something alse I just thought to be important:

    If you are a covered entity and the resident directory data is stored on the vendor's server the vendor is a business associate. A BAA would be required, with out one providing the vendor with the data would be a breach.



    Sent from my Verizon, Samsung Galaxy smartphone



    19th Annual CEI Virtual Conference


  • 6.  RE: PII vs. PHI

    Posted 06-01-2020 07:55 AM
    I don't have enough information about your organization and am not disagreeing with the other people responding. It may depend upon how your residential community and any other functions are organized and with this being a residential facility and if the information being shared is not health care related for a standard transaction, perhaps you have some options. I'd suggest you consult your organization's attorney. Here are a couple of snip its from HIPAA.

    Hybrid Entity. The Privacy Rule permits a covered entity that is a single legal entity and that conducts both covered and non-covered functions to elect to be a "hybrid entity."77 (The activities that make a person or organization a covered entity are its "covered functions."78) To be a hybrid entity, the covered entity must designate in writing its operations that perform covered functions as one or more "health care components." After making this designation, most of the requirements of the Privacy Rule will apply only to the health care components. A covered entity that does not make this designation is subject in its entirety to the Privacy Rule.

    Who is Covered by the Privacy Rule

    The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities").



    ------------------------------
    Camille Cohen
    Compliance Manager
    Marietta,GA
    ------------------------------

    19th Annual CEI Virtual Conference


  • 7.  RE: PII vs. PHI

    Posted 06-03-2020 11:18 AM
    Thank you to everyone for your help with this!  As always, I appreciate your expertise - and it helped confirm what I had already believed.

    ------------------------------
    Ellen Rooney
    Compliance Director
    BR
    ------------------------------

    19th Annual CEI Virtual Conference