Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
13 other hand, Metro Transit in Madison, Wisconsin, which maintains that it is not subject to HIPAA, stated that some departments of its municipal government have been designated hybrid entities. VII. HIPAAâS DEFINITION OF PROTECTED HEALTH INFORMATION PHI means individually identifiable health in- formation transmitted by electronic media; main- tained in electronic media; or transmitted or âmaintained in any other form or medium (em- phasis added).â91 PHI does not include individu- ally identifiable health information in employ- ment records held by a covered entity in its role as an employer or in education records covered by the Family Educational Rights and Privacy Act,92 as well as otherwise set forth in the regulations.93 Although transit agencies may receive health in- formation directly from patrons or from covered entities when authorized by the subjects of the health information, transit agencies are not the type of entity that must create health information for it to be subject to HIPAA. However, assuming that transportation services come within HIPAAâs definition of a business associate, an assumption that appears to be doubtful given the specific, lim- iting language in HIPAAâs definition, a transit agency as a business associate could create, re- ceive, maintain, or transmit PHI on behalf of a covered entity.94 The definitions of three terms in the HIPAA regulations give effect to what kind of information is subject to HIPAA: health information, indi- vidually identifiable health information, and PHI. First, the term âhealth informationâ applies to any information regardless of whether it is âoral or recorded in any form or medium;â95 thus, HIPAAâs Privacy Rule is not limited to electronic records.96 transit trips it provides are âactually Medicaid eligible trips.â 91 45 C.F.R. §§ 160.103(1)(i)-(iii) (2013) (subsection (1) of the definition of PHI). 92 Pub. L. No. 93-380 § 513, 88 Stat. 484 (1974), codi- fied at 20 U.S.C. § 1232g (2013). 93 45 C.F.R. § 160.103 (2013) (subsection (2) of the definition of PHI). 94 See Section IX.D of this digest. 95 45 C.F.R. § 160.103 (2013) (defining health infor- mation). 96 South Carolina Medical Assân v. Thompson, 327 F.3d 346 (4th Cir. 2003); Association of American Phy- sicians & Surgeons, Inc. v. U.S. Depât of Health and Human Services, 224 F. Supp. 2d 1115 (S.D. Tex. 2002). Second, health information as defined by HIPAA is not health information that is created or received by just anyone, such as a transit agency. Health information subject to HIPAA in- cludes âinformation, including genetic informa- tion, whether oral or recorded in any form or me- dium, thatâ¦[i]s created or received by a health care provider, health plan, public health author- ity, employer, life insurer, school or university, or health care clearinghouseâ¦(emphasis added).â97 Third, health information is not just any kind of medical information. The health information must come within one of three categories or types of health information: it must relate âto the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or fu- ture payment for the provision of health care to an individual.â98 Even if a transit agency meets one or more of the last three criteria (i.e., the health information ârelates toâ), a transit agency does not come within the HIPAA definition of health information, which must have been âcre- ated or received by a health care provider, health plan, public health authority, employer, life in- surer, school or university, or health care clear- inghouse⦠(emphasis added).â99 A transit agency does not create health information nor is it one of the named entities that must receive the health information for it to become PHI subject to HIPAA. As HHSâs commentary to its 2013 final rule states, there are many businesses and other entities that receive PHI that are not subject to HIPAA.100 A subset of health information under HIPAA is individually identifiable health information (IIHI). IIHI includes information that is âdemo- graphic information collected from an individ- ual.â101 IIHI either must identify an individual or provide a âreasonable basisâ for believing that the information could be used to identify an individ- PHI stored, whether intentionally or not, in photocopi- ers, facsimile, and other devices is subject to the Secu- rity Rule. 78 Fed. Reg. 5576. See discussion in Section VIII.C of this digest. 97 45 C.F.R. § 160.103 (2013) (subsection (1) of the definition of health information). 98 Id. 99 45 C.F.R. § 160.103 (2013). 100 78 Fed. Reg. 5591. 101 45 C.F.R. § 160.103 (2013) (definition of individu- ally identifiable health information).