Privacy Officer's Roundtable

PHI or not in CE with non-healthcare divisions

  • 1.  PHI or not in CE with non-healthcare divisions

    Posted 02-20-2020 12:59 PM

    Hello all - so I have another conversation area that I hope will get a lot of you thinking. So we are a large Department that encompasses only a few actual healthcare facilities, health plan work, but mostly non-healthcare related services. So now let's say we have some documents stolen from the car of a case worker with tons of personally identifiable information (address, names, car insurance, etc.) but it is from Children and Family Services with no health care related information. Not PHI, then, right? But what if those documents did contain a list of current medications for a child, then it would be PHI because it relates to a health condition, even if it's not from the medical provider itself, since we are a blanket CE?


    Alexis Trout
    Compliance, Ethics and Privacy Officer
    Nebraska Department of Health and Human Services
    SCCE Membership

  • 2.  RE: PHI or not in CE with non-healthcare divisions

    Posted 02-21-2020 05:38 AM
    I work for an academic medical center and we have several entities that are not HIPAA covered entities. For example we have health clubs and a financing arm that helps patients finance their bills. We also obviously operate as an employer. My team handles privacy with respect to all of our corporate entities - just not patient privacy matters, so what I would encourage you to do is think outside of HIPAA - i.e. do you have obligations per contract with respect to that information and/or state law that may require/trigger any reporting obligations?

    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

    SCCE Membership

  • 3.  RE: PHI or not in CE with non-healthcare divisions

    Posted 02-21-2020 11:47 AM

    Generally, the PII would not be "HIPAA covered".  That doesn't mean there is no breach notification responsibility.  All states have breach notification laws on the books.  As far as the list of medications, it still may not be PHI.  If Children & Families did not perform any healthcare activities and was not designated a covered entity, the health information would be PII and not PHI.  It's only PHI if it was associated with a covered entity or a healthcare component of an organization that performs healthcare and non-healthcare activities.


    This is similar to if an employee's HR folder was lost or stolen.  If the HR folder contained information, say, about a medical condition or information about medical leave, it would not be PHI.  I was asked by a client if a city's parks and recs department collected medical information from parents was it PHI?  The city had multiple departments including covered entity components.  I told the city that it was not PHI and not covered by HIPAA.  The parks and recs department did not conduct any covered entity functions and it was not designated a covered component.  The best way to look at it is it's only PHI if it's associated with a covered entity or covered component.


    Chris Apgar, CISSP


    CEO & President

    (503) 384-2538 (o)

    (503) 816-8555 (c)

    (503) 384-2539 (f)


    Privacy | Information Security | Compliance | Certification Readiness | Security Incident Response


    The information contained in this email message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by email, and destroy the original message.


    SCCE Membership