There continues to be a fair amount of confusion out there when health information is PHI and when it’s PII.  This is true for a number of business associates as well as hybrid covered entities.  If the health information is generated by a covered entity doing a covered function, it’s likely PHI all the way down the line as it’s used and disclosed with business associates.

Here’s an example:  An entity provides a health plan for its low income customers.  The entity also provides employment support, support with housing and so forth.  The covered component in this case would be the health plan.  Other health related information, such as accessibility requirements, case management related to employment support and other non-covered entity functions would not fall under the PHI umbrella.  It may be PII but is not necessarily PHI.

The first step is to determine what the covered component is and what health information is associated with the covered component.  Then it becomes a matter of structuring policies, procedures, etc. so that PHI management complies with HIPAA.  That means addressing especially all of the HIPAA privacy requirements for the covered component but not necessarily for the rest of the entity.  While security needs to be solid across the board, HIPAA or no HIPAA, to require the implementation of HIPAA required privacy standards across the whole entity is often unrealistic and unnecessary.

In the end, it can be very confusing.  It’s important to clearly identify the covered component in a hybrid covered entity and even with business associates.  The HIPAA Privacy Rule can be rather proscriptive and it doesn’t make sense to treat all data the same from a compliance perspective.  If it’s PHI or PII, it needs to be secured and you need to pay attention to both state and federal law here.  If it’s PHI you need to comply with HIPAA.  If it’s not, you don’t.  There may be other state privacy laws that impact the use and disclosure of PII but that doesn’t mean that, no matter what the healthcare community thinks, it’s all PHI just because the data is individually identifiable health information.


By Chris Apgar, CISSP