Are you sure that’s PHI? (In-depth PRIMER on what is PHI and what is not)

In my practice of protecting Dental Practices and Dentists, I see a HUGE lack of understanding around the area of PHI (Protected Health Information)! And that is a BIG problem, since that is what HIPAA is really all about. 

In a previous post (Here is the Silver Bullet of HIPAA Compliance) we briefly toured the HIPAA Privacy Rule. This time around we’re exploring wider and deeper. Remember, there are other Rules you have to comply with (and we’ll get to those rules). Lets take it one step at a time!

The Privacy Rule establishes regulations pertaining to the use and disclosure of Protected Health Information, or PHI. To understand what PHI is we need to know another common term, Individually Identifiable Health Information, or IIHI, which:

  • Is created or received by a health care provider, plan, or clearinghouse; or healthcare provider; and
  • Relates to the past, present, or future physical or mental health or condition of an individual (or payment for health care to the individual); and
  • Identifies the individual or reasonable could be used to identify the individual.

Now that we know what IIHI we can better understand what PHI is. Protected Health Information is Individually Identifiable Health Information that is:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

Examples of Protected Health Information include:

  • Names
  • Addresses
  • Date and place of birth
  • Race
  • Marital Status
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Dental record numbers
  • Dental insurance beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers*
  • Web URLs
  • IP address numbers
  • Biometric identifiers, including finger, retinal and voice prints
  • Full face photographic images and any comparable images

Let me illustrate!

Patient information (PHI) is protected by HIPAA

Johnny Ray says, “Protect my Health Information!”

Let’s say my name is Johnny Ray. I was born on April 21, 1996. I live at 235 NE Loop 830 #203, Hurst, TX 76053. My phone number is (817) 555-5555. My e-mail is I won’t list my social security number, but I have one. My dental insurance is through Delta Dental of Iowa (group #A6335, account # is TI42367).

When I completed your new patient paperwork my IIHI became PHI, even if you had me complete handwritten paper works. Then, when you input my data into my dental records, whether you have Dentrix, Eaglesoft, Open Dental or some other practice management software my IIHI is also ePHI.

Now, barring some clearly documented exceptions, you need my written authorization before you can disclose my PHI to anyone except to me or the U.S. Health and Human Service – Office for Civil Rights (OCR). OCR is the HIPAA police if you will. These are the only two absolutes.

While you, the dentist, may own my dental record, the information in the record is mine and I always have a right to either see or have a copy of my recordthe whole thing, unless there is something in the record that would cause me harm (your subjective ‘PITA’ comments will cause me harm, but this is not what the exception applies to). I have a right to my x-rays, my treatment plan, financial record/ledger, clinical notes and everything else in my dental record (bet you are glad you did not notate that I am a ‘PITA’).

The law states that I can if my dental record is available in an electronic format I can have it an electronic format. It also says you can charge me a reasonable fee for a copy of my record (media device, time to locate/copy the record) even if I owe you money for services or treatment your office provided to me. The law also says you cannot keep my record from me because I owe you money, except that you can withhold until I pay for the record (if you intend to charge). Perhaps I want a second opinion and want a copy of my x-rays, treatment plan and your clinical notes. I can do that.

I ask you or your office manager for a copy of my entire dental record. Fortunately for me you oblige and I go about my business. However, you would be well within your right to require my request for my record in writing. In that scenario, upon receipt of a written request for my record you have 30 calendar days under federal law to fulfill my request. That’s right – you do not have to provide my record on the spot. Now, it is important to note that some state laws have tighter time frames to provide records, like Texas, which is within 15 BUSINESS days of a receipt of a written request for records. Some states have even tighter timeframes. Know your state requirements and follow the strictest time periods.

Dental Compliance Specialists, LLC is the Premier Dental Health Compliance and Quality Assurance provider in the country. We help Dentists develop and maintain compliance programs with the goal of keeping them out of the regulatory limelight. We have in-office and virtual programs all catered to the Provider’s specific needs. Dental Healthcare Compliance includes: DEA, ICE/Homeland Security, OIG, OSHA, HIPAA, Infection Control, Auditing and Monitoring, Record Auditing, employee training, Radiology Compliance, Medicaid Compliance and more…It’s not just about OSHA anymore!