Confidentiality, Privacy and Security


  • 1.  PHI?

    Posted 07-19-2019 08:57

    ​If there is a spreadsheet with a patient identifier (not SSN), patient name, date of service, and account balance, would this be considered PHI and would it be considered a breach if it was disclosed inappropriately? If the date of service was NOT on the spreadsheet, would that change things?
    Thanks in advance!


    Kimberly Ohmann
    Associate Director

  • 2.  RE: PHI?

    Posted 07-21-2019 09:39
    I would run it through a risk assessment, it could be low risk. The only way you know for sure is doing your risk assessment.

    Casey Bastemeyer
    Lead HIPAA & Coding Compliance Partner
    Ensign Group

  • 3.  RE: PHI?

    Posted 07-22-2019 09:15
    I agree a risk assessment is needed.  To whom was the information disclosed inappropriately?  Can you trust that the information would not be further disclosed by the unintended recipient?  Names and DOS are PHI elements so I would proceed carefully.

    Nancy Davis, MS, RHIA, CHPS
    Director of Compliance & Safety
    Door County Medical Center

  • 4.  RE: PHI?

    Posted 07-22-2019 09:23
    Does the spreadsheet identify the covered entity or business associate? If it does then it's PHI. If not...well it might not be. I typically think of PHI as one identifier and whether the CE/BA is identified. But there is such variation among identifiers some introduce more risk than others.

    But I agree with Casey and Nancy, use an Omnibus 4 factor breach analysis and see exactly where you are in the context of the whole incident. I can share a breach analysis if you need one.

    Kelly McLendon, RHIA, CHPS
    Managing Director
    CompliancePro Solutions