Tweet By Hospital Employee: What information is considered PHI?

Interesting Tweet HIPAA Breach story coming out of Mississippi involving Governor Haley Barbour. The incident involved a response to Governor Barbour’s tweet by a University Medical Center employee.

Ves Dimov, M.D. at Clinical Cases and Images Blog posts about the story – Single tweet by hospital employee to Mississippi Governor allegedly violates HIPAA, forces her to resign.

The incident will provide a good case study for health privacy lawyers who regularly consider the question of what information is and is not protected health information (PHI) under 45 CFR 160.103. PHI is defined under HIPAA as:

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Thanks for the tip @RLBates and @EdBennett.