Hello all - so I have another conversation area that I hope will get a lot of you thinking. So we are a large Department that encompasses only a few actual healthcare facilities, health plan work, but mostly non-healthcare related services. So now let's say we have some documents stolen from the car of a case worker with tons of personally identifiable information (address, names, car insurance, etc.) but it is from Children and Family Services with no health care related information. Not PHI, then, right? But what if those documents did contain a list of current medications for a child, then it would be PHI because it relates to a health condition, even if it's not from the medical provider itself, since we are a blanket CE?Thanks!
Generally, the PII would not be "HIPAA covered". That doesn't mean there is no breach notification responsibility. All states have breach notification laws on the books. As far as the list of medications, it still may not be PHI. If Children & Families did not perform any healthcare activities and was not designated a covered entity, the health information would be PII and not PHI. It's only PHI if it was associated with a covered entity or a healthcare component of an organization that performs healthcare and non-healthcare activities.
This is similar to if an employee's HR folder was lost or stolen. If the HR folder contained information, say, about a medical condition or information about medical leave, it would not be PHI. I was asked by a client if a city's parks and recs department collected medical information from parents was it PHI? The city had multiple departments including covered entity components. I told the city that it was not PHI and not covered by HIPAA. The parks and recs department did not conduct any covered entity functions and it was not designated a covered component. The best way to look at it is it's only PHI if it's associated with a covered entity or covered component.
Chris Apgar, CISSP
CEO & President
(503) 384-2538 (o)
(503) 816-8555 (c)
(503) 384-2539 (f)
Privacy | Information Security | Compliance | Certification Readiness | Security Incident Response
The information contained in this email message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by email, and destroy the original message.