Q&A: Are patient diagnoses alone considered to be PHI?
Q: I work for a pharmaceutical company. I am aware of the more obvious identifiers, but are patient diagnoses or ICD-10 codes (without any other identifiers such as dates of birth or Social Security numbers) considered PHI? I have heard arguments on both sides.
A: No, a diagnosis or diagnosis code without patient identifiers is not considered PHI. Information is protected under HIPAA if it contains any of 18 specific identifiers of individuals and their relatives, employers, or household members, including:
- Account numbers
- All ages over 89, including year
- All elements of dates (except year) for birth, admission, discharge, and death
- Biometric identifiers, including fingerprints and voiceprints
- Device identifiers
- Email addresses
- Fax numbers
- Full-face photographs
- Geographic subdivisions smaller than a state
- Health plan beneficiary numbers
- Medical record numbers
- Names
- Social Security numbers
- Telephone numbers
Editor's note: Mary D. Brandt, MBA, RHIA, CHE, CHPS is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice.