Is a W-2 Considered PHI Under HIPAA?

Sunday, March 25, 2012

Rebecca Herold

65be44ae7088566069cc3bef454174a7

“Is a W-2 form protected health information?” is a simple question with a complex answer that begins (I know, to the nail-biting chagrin of many), “It depends…”

First the full question:

“If a scan of a W-2 is submitted as part of a patient’s financial assistance application is it considered protected health information (PHI)?”

It depends upon considering several factors, including

1)      Is the information within a W-2 explicitly excluded from being PHI within HIPAA?

2)      Is the information within a W-2 explicitly included as being a type of PHI?

3)      Is the information within the W-2 itself used by the covered entity (CE) for treatment, payment, or healthcare operations (TPO) in a way that would put it under the definition of PHI?

The question was framed as meaning the entire W-2 form was being “submitted” for financial assistance to pay for healthcare, so with this in mind, we will consider it as one document containing several information items that are necessarily grouped together.

Let’s first consider background information.

Definitions

Protected Health Information (PHI)

For the purposes of our analysis, “protected health information” (PHI) is the same as “individually identifiable health information” (IIHI) with the following exceptions defined under HIPAA:

(2) Protected health information excludes individually identifiable health information in:

(i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20U.S.C. 1232g;

(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and

(iii) Employment records held by a covered entity in its role as employer.

Individually Identifiable Health Information (IIHI)

What is “individually identifiable health information” (IIHI)? Under HIPAA it is defined as:

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

W-2 Form

What is on a W-2 form?

a. Employee’s social security number (a PHI item)

b. Employer identification number (EIN)

c. Employer’s name, address, and ZIP code

d. Control number

e. Employee’s first name and initial, Last name, Suff. (PHI items)

f. Employee’s address and ZIP code (PHI items)

1. Wages, tips, other compensation

2. Federal income tax withheld

3. Social security wages

4. Social security tax withheld

5. Medicare wages and tips

6. Medicare tax withheld

7. Social security tips

8. Allocated tips

9. {blank}

10. Dependent care benefits

11. Nonqualified plans

12a code, 12b code, 12c code, 12d code

13. Statutory employee, Retirement plan, Third-party sick pay

14. Other

15. State, Employer’s state ID number

16. State wages, tips, etc.

17. State income tax

18. Local wages, tips, etc.

19. Local income tax

20. Locality name

(click image to enlarge)

Now let’s consider the factors.

1) Is the information within a W-2 explicitly excluded from being PHI within HIPAA?

According to…

(2)(i) above; a W-2 is not an education record as considered in the context of the question.

(2)(iii) above; the question is for the use of W-2 for all types of patients, so they are not necessarily employees of the CE.

Which leaves (2)(ii) above; records under 20 U.S.C. 1232g(a)(4)(B)(iv) include:

“(iv) records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.”

A W-2 form does not fall under this description.

So, W-2 data has not been explicitly excluded.

2) Is the information within a W-2 explicitly included as being a type of PHI?

Under HIPAA these include:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and

(S) Genetic Information (In 2010 “genetic information” was added to this list. (See Regulations Under the Genetic Information Nondiscrimination Act of 2008; Final Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/genetic/ginafinalrule.pdf))

So, at least three of the W-2 data items/fields are part of this list.  However, “W-2 Form” itself, which contains many more types of data items, is not part of this list.  So, subsets of the W-2 form are considered to be PHI, but most of the items are not.

3) Is the information within the W-2 itself used by the covered entity (CE) for treatment, payment, or healthcare operations (TPO) in a way that would put it under the definition of PHI?

Here is where we get to the main crux of the question.

Under the definition of IIHI above, a W-2,

YES (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

POSSIBLY (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

YES (i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

For this question about the W-2, the answer then really depends upon A) if the W-2 ever reached the CE where the care was provided, or B) it never left a third party that may have done the financial aid application processing.   Here three primary possibilities:

1)      An outside entity, separate from the covered entity, obtained the W-2, did the financial assistance approval, and passed the approval on to the covered entity, without sending the W-2 along.  For example, perhaps a bank or credit union.  In this case since the W-2 never becomes part of the patient file used to approve of the financial assistance, it would most likely not be considered PHI by the Department of Health and Human Services (HHS) since it never was received by or otherwise directly used for payment.

(click image to enlarge)

2)      An outside entity, separate from the covered entity, obtained the W-2, did the financial assistance approval, and passed the approval on to the covered entity, in addition to sending the W-2 along.  For example, it is conceivable that this could occur from an accounting firm, or an independent accountant or consultant.  In this case since the W-2 was sent with the financial assistance documentation, it becomes part of the patient file used to process payments, so it would most likely be considered PHI by the Department of Health and Human Services (HHS).

(click image to enlarge)

3)      A department within the covered entity obtained the W-2, did the financial assistance approval, and processed the financial assistance activities and paperwork.  In this case since the W-2 was used by the covered entity for payment purposes, and if it became part of the patient file, it would most likely be considered PHI by the Department of Health and Human Services (HHS) since it was directly used as part of payment operations.

(click image to enlarge)

Why Does This Even Matter!?

Many people to whom this question was posed gave retort that boiled down to, “It doesn’t matter, W-2 data needs to be protected any way!”

Well, yes of course W-2 data needs to be safeguarded appropriately regardless of who possesses it.  But, it certainly *DOES* matter whether or not it would be considered to be PHI.  Why?  Because covered entities’ (and now business associates under HITECH) obligations for doing specific activities with PHI go far beyond just simply safeguarding the PHI.  Under the Privacy Rule additional activities must be performed for PHI such as:

  • You must then track disclosures of PHI.  If the W-2 was considered to be PHI, then, depending upon the organization, this could add a substantial amount of logging and tracking to a CE’s procedures, requiring additional resources.
  • Disclosure requirements, and associated required actions, would need to be expanded to apply to W-2 forms.  Depending upon the organization, this could also substantially expand the scope of activities necessary, and require additional resources.
  • Business associate contracts would then need to be created for any contracted work that applies strictly to the W-2 forms.  Depending upon the organization and their outsourcing activities, this could substantially add to the activities and resources necessary to support those activities.
  • W-2′s would then also be subject to the same amendment requirements as other types of PHI, which would also expand the associated procedures and related resources.
  • Consent and authorization requirements would then be expanded to also apply to W-2s, which would also expand the associated procedures and related resources.
  • And likely others.

For a small to medium sized business adding such additional procedures along with the associated time and personnel resources could result in a significant amount of cost to the business. 

Simply determining, “Yeah, let’s call it PHI, it needs to be protected anyway” is a shortsighted decision that could end up costing a significant amount that midmarket sized businesses really cannot afford.

This is why such questions are important to ponder and do a bit of analysis around.

Cross-posted from Privacy Professor

Possibly Related Articles:
7116
HIPAA
Healthcare Provider
HIPAA Compliance PHI Regulation Personally Identifiable Information HHS Covered Entity Tax Return W-2
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.