Proper protection and safeguarding of Protected Health Information (PHI) is not only required when delivering traditional health care services, such as treatment of illnesses and injuries, surgeries, or other services typically provided in a hospital setting. PHI must also be protected when providing social care or Health-Related Social Needs (HRSN) services, such as care management, navigation to stable housing service providers, transportation to appointments, or home delivery of nutritious meals.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-19, mandates the protection of an individual’s identifiable health information. Under HIPAA, social care providers are business associates of a covered entity and must safeguard all PHI they encounter, including information containing sensitive medical and social care records, social care treatment or billing information, and health insurance plan information. Social care providers in Care Compass Collaborative’s Social Care Network (SCN) are required to comply with HIPAA Rules. The protection of an individual’s PHI under HIPAA helps contribute to a safe, ethical, and effective SCN.

HIPAA Privacy Rule 

The HIPAA Privacy Rule, as established by the U.S. Department of Health and Human Services, in Title 45 of the Code of Federal Regulations (CFR) Part 160 and Subparts A and E of Part 164, sets the national standards for the privacy, integrity, and availability of PHI. It outlines the safeguards that must be in place to ensure that PHI is kept private and protected from unauthorized access or disclosure. Several crucial HIPAA Privacy safeguards and guidelines are summarized below and must be adhered to by all social care providers in Care Compass Collaborative’s (CCC) SCN.

Social care providers in CCC’s SCN must develop and maintain appropriate safeguards that protect PHI:

• At workstations or areas where computer monitors may be located. General safeguards include positioning computer monitors away from the direct view of others and locking computers before leaving desks/workstations.

• From being viewed by unauthorized individuals in e-mails. E-mail safeguards include using approved secure encryption protocols and limiting the PHI contained in an e-mail to the minimum necessary information to accomplish the purpose of the communication.

• When hosting or attending virtual meetings/webinars where PHI is planned or may inadvertently be discussed. Always use a HIPAA secure platform and account when hosting virtual meetings with clients/patients or for case conferencing, never recording those meetings, and close all applications, emails, and documents that you will not need to share in the virtual session.

• In public areas. Always escort patients/clients, repair and delivery representatives, and any other persons not having a need to view PHI into areas where PHI is maintained, refrain from using whiteboards to display PHI, and lock office doors when unattended.  

• In paper documents. Store and maintain documents containing PHI in locked cabinets, rooms, or buildings when not in use and after working hours, and shredding documents containing PHI, never disposing of them in regular trash cans or recycle bins.   

• When verbally discussing or communicating PHI. Only discuss PHI with other authorized staff who have a legitimate “need to know” or with others as permitted by the HIPAA Privacy Rule and remain aware of individuals nearby that may hear any discussions concerning PHI.

• When faxing PHI. Use a HIPAA-compliant fax cover sheet, always verify the fax number is correct before sending, and never leave copies of faxes on the fax machine.

PHI in the Social Care Network 

What information is considered PHI in a social care network? Examples of PHI that social care providers in CCC’s SCN may encounter include, but are not limited to the following:

Personal identifiers​: Any of the 18 HIPAA-defined identifiers alongside health or social care information qualifies as PHI. Even partial identifiers, like initials or shortened addresses, can still be considered PHI if it can be traced back to an individual.​

• “Insurance claim #12345 for Mary Smith related to her recent social care screening.”

Health-related information​: Any mention of a patient/client’s condition, treatment plan, medication, or health or social care services provided, qualifies as health-related information. ​

• “Mr. Johnson needs transportation to pick up his prescribed insulin for his type 2 diabetes.”​

Financial information related to health or social care:​ Discussing billing or payment details related to health or social care services, including payment information, insurance claims, or any details about financial transactions tied to health or social care.

• “A payment of $500 has been received for the asthma remediation services provided to Jane Doe.”​

Photographs and images​: Patient images, such as X-rays, photographs, or any media showing distinguishing characteristics (like tattoos or facial features), are also considered PHI. These images can reveal sensitive information if it can be linked to an individual. ​

• A video of a patient explaining their symptoms or condition.

IP addresses and web activity​: Digital information such as IP addresses or web activity tied to health or social care services can also be classified as PHI.

• “The patient John Smith submitted a social needs screening form from IP address 123.123.0.1.”​

Additional information about reasonable HIPAA Privacy safeguards your organization can adopt to further enforce and ensure the privacy of PHI can be found on the U.S. Department of Health and Human Services website, https://www.hhs.gov/hipaa/for-professionals/privacy/, or by searching their FAQ content.