What is PII (covered by HIPAA) and what is not?
One of the most important determining factors in HIPAA compliance is the nature of the information being transmitted: if it’s not sensitive PII (personally identifiable information), it can be securely transmitted electronically. What is PII and what’s not? What’s sensitive PII and what’s not? (Click here for a printable version).
According to the U.S. Office of Management and Budget, PII – or personally identifiable information – is any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person.
Sensitive PII is that which, when disclosed, could result in harm to the individual whose name or identity is linked to the information. In determining whether or not PII is sensitive, the context in which the information is used must be taken into consideration. For example, a list of subscribers to a government newsletter is not PII; a list of people receiving treatment for mental health disorders is.
As well as the consideration of context, the association of PII elements can create the need for protection: for example, an individual’s name would be considered sensitive PII when grouped with their mother’s maiden name and date of birth, but these elements wouldn’t be considered sensitive independent of one another. The following types of PII are considered sensitive when they are associated with an individual and must be protected when electronically submitted:
- Place of birth
- Date of birth
- Mother’s maiden name
- Biometric information (identification of humans by their characteristics or traits)
- Medical information
- Personal financial information
- Credit card or purchase card account numbers
- Passport numbers
- Potentially sensitive employment information, such as disciplinary actions or personnel ratings
- Criminal history
- Any information that may stigmatize or adversely affect a person
(This list is not exhaustive, and other data may be sensitive depending on specific circumstances.)
Social security numbers (SSNs), including abbreviated SSNs that utilize only the last four digits, are considered sensitive regardless of whether or not they’re associated with an individual.
The following types of PII may be transmitted electronically without protection because they are not considered sufficiently sensitive to require protection:
- Work, home, and cell phone numbers
- Work and home addresses
- Work and personal email addresses
- Resumes that don’t contain a SSN or where the SSN is obscured
- General background information about individuals found in resumes and biographies
- Position descriptions and performance plans without ratings
The determination that PII is non-sensitive does not mean that it is publicly releasable. The choice to publicly release any information can only be made by the official authorized to make such decisions. The electronic transmission of non-sensitive PII is equivalent to transmitting the same information via U.S. mail, a private delivery service, courier, fax or voice. Although each of these deliveries has vulnerabilities, the transmitted information can only be compromised as a result of theft, fraud, or other illegal activity.
Access more complimentary compliance tools in our HIPAA Resource Center.
PIMSY is mental health EHR and Practice Management Software, integrated into one efficient system. Click here for more information about PIMSY – or contact us for a live Web demo. We’re happy to show you how PIMSY saves time, pays for itself, and can make your practice more efficient.