DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
HIPAA covered entities sometimes ask, "Is it a HIPAA violation when someone who is seeking to become a patient sends us, for the first time, their personal health information?" The answer to this question is pretty much always "no." The reason why is because of how HIPAA defines "Individually Identifiable Health Information" (IIHI) and "Protected Health Information" (PHI).
Individually Identifiable Health Information (IIHI):
Individually identifiable health information (IIHI) is information that is a subset of health information, including demographic information collected from an individual, and that:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual;
and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
To qualify as IIHI, information must be health-related. The information must relate to past, present, or future physical or mental health of a specific person, or relate to the provision of healthcare to a specific person, or to future payment or provision of healthcare to someone.
That is not all. To meet the definition of IIHI, information must identify someone. Or, there must be a reasonable basis to believe that information can be used to identify someone, along with other data.
That is not all either. As noted above, to constitute IIHI, information must be "created or received by a healthcare provider." PHI is a subset of IIHI. Therefore, for information to qualify as PHI, it must be "created or received by a healthcare provider," among other requirements.
Is a consumer or would-be patient looking for a doctor, by sending health information, acting as "a healthcare provider who is creating information?" No. The consumer or would-be patient is acting as a consumer or would-be patient.
Is the consumer or would-be patient a "healthcare provider receiving information"? No - they'e an individual sending that information TO a healthcare provider, who then receives it.
So, a consumer looking for a provider, or would-be patient looking for a provider, who transmits health information for the first time to a doctor's office, is not sending IIHI. This means they are not sending PHI. Once a healthcare provider receives the information, the healthcare provider is obligated to protect the information, in accordance with the HIPAA regulations.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article