CMA: Protected Health Information Inventory

 Disclaimer:  CMA/PrivaPlan PrivaGuide: Protected Health Information Inventory.


The information provided in this document does not constitute, and is no substitute for, legal or other professional advice.  Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns.


PrivaGuide: Conducting a Protected Health Information Inventory
By Harry E. Smith, CISSP and David Ginsberg




HIPAA does not require that you conduct a PHI use and disclosure inventory.  We strongly recommend that you do not neglect this step, however.  Here are the reasons why we believe that performing such an inventory is essential to any HIPAA compliance effort:


If your organization uses or discloses PHI in a manner of which you are not aware, then you cannot possibly know whether or not the organization is in compliance with all privacy and security compliance requirements.
You can eliminate a lot of duplication of effort and greatly reduce the overall time needed to get into compliance by doing this preparatory step first.
Understanding the purpose of each use or disclosure of PHI that your organization makes is the key to getting HIPAA privacy and security right.


Why am I Doing This?


PrivaPlan suggests that you develop an inventory of your protected health information (PHI), it’s uses, and it’s disclosures for a simple reason: it’s easier this way.  The majority of criteria in the HIPAA regulations describe how it is not (or is) permissible to disclose protected health information under certain circumstances.  Rather than ask you to think of all of the uses and disclosures of PHI made in your organization every time you encounter one of these criteria, we will ask you to do this once and refer back to the list you have created when you reach the relevant criteria.



Start With a “Walkaround”?


The easiest way to begin your inventory is to follow the path of PHI through your organization from the time the patient first calls for an appointment until the final claim is paid by the health plan.  During the walk through the organization, you will develop the habit of looking for PHI in places that you ordinarily wouldn’t expect to find it.  Are there conversations that are being overheard?  Does the return address on an envelope reveal something about a patient’s condition?  Are Post-it Notes engaging in their own form of “gossip?”



How to do this:


The following procedure will show you how to produce a comprehensive inventory of uses and disclosures of PHI that are made in your organization.  Follow these steps carefully.  The more attention that you pay to this activity, the easier the rest of your compliance project will be.


Before you start, though, you must be clear in your mind about what is and is not PHI.  First take a look at the definition of “protected health information” that is included in the privacy regulation.


Be Absolutely Clear About What is – And is Not – Protected Health Information (PHI).


To determine whether or not a particular piece of information is PHI, you need to apply several tests:


Is it “health information?” – Health information is information that relates to:


  • the past, present, or future physical or mental health or condition of an individual;
  • the provision of health care to an individual; or
  • the past, present, or future payment for the provision of health care to an individual.
  • Is it “individually identifiable?” – Health information is individually identifiable if the information:
  • identifies the individual; or
  • if there is a reasonable basis to believe the information can be used to identify the individual.

Is it in one of the “exception” categories? – Individually identifiable health information is not considered PHI if the information is:


  • part of an educational record that is protected by the Family Educational Right and Privacy Act (FERPA); or
  • maintained by this organization in its role as an employer.

Example:  A nurse who works at a clinic calls in to say she has the flu and will not be coming to work today.  Is this PHI?  No.  This is individually identifiable health information, but it is not protected under HIPAA because the clinic uses this information in the capacity of an employer, not as a health care provider.  (Of course, if this same nurse seeks treatment at the clinic where she works, she becomes a patient as well as an employee, and her information becomes protected.)  However, the California Confidentiality of Medical Information Act does apply to employers who must be sure they comply with state law.




1.     Do a “walk-around” of your facility. The quickest way to find the items of PHI that are used or disclosed by your organization is to follow the path that a patient takes.  From the time the patient calls for the first appointment; to the waiting room; to the collection of insurance and health history information; to the examining room for weight and blood pressure measurement; through examination, diagnosis and filing the insurance claim; ask yourself which items of information about this patient’s health are collected, recorded, used or disclosed.  As you identify these items, record your findings in the “PHI Type and Location” column of the PHI Use and Disclosure Inventory Form and the ePHI Use and Disclosure Inventory form for all electronic PHI  under Document Templates.  Check the appendix of this PrivaGuide for a list of common items that contain PHI.


2.     Add physical forms of PHI to the list. Identify as many physical forms of PHI as you can that might have been missed in step one.  Physical forms of PHI include such items as:


  • Patient Charts
  • SuperBills
  • Appointment Books
  • Facility Directories
  • Appointment Reminder Notes
  • Insurance Claims Forms
  • Insurance Application Forms
  • Test Results
  • Names on Doorways
  • Whiteboards

At this point, the inventory should look something like this:

3.     Add electronic forms of PHI to the list, tracking them on the ePHI Use and Disclosure Inventory form. Identify as many electronic forms of PHI as you can that might have been missed in step one.  Electronic forms of PHI include such items as:


  • Medical records kept on a computer
  • Records of insurance claims filed electronically
  • Electronic copies of letters about patients.
  • Voice Mail regarding a specific patient
  • Dictation tapes and cassettes
  • Digital Pictures
  • Research Data kept on a computer
  • Records of consultations by email
  • Records generated during visits to your organization’s web site
  • Back up discs or tapes made of any data mentioned above

At this point, the inventory should look something like this:

Now, go over the list to see if some PHI items are maintained in more than one location.  Add rows to the table if needed to show where additional copies of each form of PHI are kept.


4.     Fill in PHI uses. Each item in the “PHI Type and Location” column is used for some specific purpose.  (And some items may be used for multiple purposes.)   Record the name (or title, or department) of the user of the information and the purpose for which the information is used.  If the PHI item is used for multiple purposes, add rows to the table and replicate the information in the “PHI Type and Location” column.


The entries in the “purpose” column should be one of the following:


  • Treatment (diagnosis, therapy, prescription, etc.)
  • Payment (filing claims, collecting co-pay amounts, etc.)
  • Health Care Operations (quality control, workforce training, etc.)
  • Participation in Compliance Reviews
  • Access Requests by the Individual (patient or health plan member)
  • Facility Directory Listings (for in-patient facilities only, such as hospitals)
  • Communication with people involved in the subject individual’s care (friends, family, etc.)
  • Disclosures required by Law (reporting gunshot wounds, suspected child abuse, etc.)
  • Cooperation with Public Health Authorities (disease control, etc.)
  • Cooperation with Health Oversight Agencies (FDA, state licensing boards, etc.)
  • Judicial and Administrative Proceedings (court orders, subpoenas, etc.)
  • Cooperation with Law Enforcement (communicating with police, etc.)
  • Cooperation with Medical Examiners and Funeral Directors (autopsies, disease control, etc.)
  • Organ Donation Activities (suitability of blood, organs, etc. for transfusion or transplant)
  • Research (clinical trials, etc.)
  • Public Safety (natural disasters, epidemics, etc.)
  • Specialized Government Functions (national security, protection of the president, etc.)
  • Workman’s Compensation (work-related injuries, etc.)
  • Marketing (promoting a health care product or service, etc.)
  • Fundraising (raising money for research, facilities improvement, etc.)
  • Underwriting (providing health insurance, collecting premiums, eligibility, etc.)
  • Change of Ownership (sale of practice to another provider, etc.)
  • Commercial Sale of Health Information (employee physicals, etc.)

Correctly describing the purpose of a use or disclosure will be useful later in determining which forms of permission (authorization, verbal agreement, etc.) may be needed to allow the use or disclosure.


Specialized Inventories are Optional


You may wish to create a specialized inventory for each type of protected health information, use, or disclosure.   This is an optional system you may or may not want to adopt depending on the size of the organization.  Large organizations with many people working on the HIPAA compliance team may find more efficiency in creating smaller, specialized inventories for things like underwriting purposes, disclosures to family and friends, disclosures for marketing purposes, etc, whereas smaller organizations with just one person on the HIPAA compliance project would probably be better served by only having one PHI use and disclosure inventory.


Make Sure You Know the Difference Between a “Use” and a “Disclosure”


Basically, the difference between a use and a disclosure is determined by whether or not the PHI leaves your organization.  If a member of the staff reads a lab report and makes some notes in a patient’s chart, or discusses a patient’s condition with another staff member, this is a use of PHI.  On the other hand, if the billing department files a claim with a payer, this would be a disclosure.


Uses are internal.
Disclosures are external.

The PHI inventory form should look something like this when you are done:

5.     Fill in PHI disclosures.  In addition to the internal uses of PHI that have been entered in the table, each item may be disclosed for some specific purpose.  (And some items may be disclosed for multiple purposes.)   Record the name (or title, or department) of the person who discloses the information, the name (or title, or department) and the organization to whom the information is disclosed, and the purpose of the disclosure.  If the PHI item is disclosed for multiple purposes, add rows to the table and replicate the information in the “PHI Type and Location” column.  The entries in the “Purpose” column should be one of those listed in the previous step.

After you have finished this step, the PHI inventory form should look something like this:


About the Author:

This PrivaGuide has been greatly improved and customized by the California Medical Association. Specifically, the work of Catherine I. Hanson, Vice President and General Counsel of the CMA and Steven M. Fleisher, Esq. of Fleisher and Associates.


Harry E. Smith, CISSP


Mr. Smith is a founder and principal of Timberline Technologies LLC, a Colorado-based information security consulting company.  He has over 25 years experience in the information security field and has completed consulting engagements with such organizations as IBM, Kaiser Permanente and the U. S. Customs Service.  Mr. Smith is also one of the co-founders of PrivaPlan Associates, Inc.  He is a certified information systems security professional (CISSP) and currently serves as president of the Denver chapter of the Information Systems Security Association (ISSA).



David Ginsberg


Mr. Ginsberg is President of PrivaPlan Associates, Inc. and is one of the founders.


David Ginsberg is a healthcare consultant with over twenty-five years experience. Most currently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California; during this time he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.

Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues.


Mr. Ginsberg can be contacted at David A. Ginsberg Consulting, 3 Monte Alto Way, Santa Fe, NM 87508.  Telephone:  877-218-7707.  Email:





Summary of Protected Health Information (PHI)


This appendix contains a detailed list of the types of information, documents, etc. that might be found in a physician’s office which would be considered Protected Health Information (PHI) according to the Health Insurance Portability and Accountability Act of 1996.


Advanced Directive/Durable Power of Attorney Forms: A form, signed by the patient or their legal representative relating to health care decisions in the event of being incapacitated and so forth.



Most often paper, but increasingly may be an electronic file carried as part of a personal health record.


Patient Intake Form: Usually contains comprehensive demographic information, billing and third party payer information, and a health history. Sometimes these are separate forms but universally all practices use a patient intake form. Sometimes it contains marketing information such as “who referred you” and sometimes this form contains patient waiver and disclosure consents.



Most often paper, completed either at the time of the first encounter or prior and mailed or brought in. In some cases providers are emailing these forms to patients and asking that they complete and email back (or print and mail back) prior to the first encounter.  This form is generally stored in the patient medical record or chart.


Patient waivers and consents:  In the cases where these are not part of the intake form, they generally represent waivers that allow the provider to collect from the patient in the event their insurance carrier doesn’t pay.  Medicare requires such waivers to allow providers to bill for non-covered services and to act as a disclosure to the patient.  Some consent forms are designed to disclose ownership in laboratories or other ancillary centers where the provider might refer a patient.  Other types of consents include a medical records release allowing the provider to release medical records when appropriate and medical malpractice arbitration releases.



Almost always in paper form; if signed generally stored in the medical record.


Progress Notes: These are the notes the provider records as a result of the physical encounter with the patient, or as a result of an oral encounter via telephone with the patient, their family, another provider, a diagnostic facility or any number of interested parties necessary in the coordination of care (for example the nursing staff at a hospital).



Generally paper as either a single sheet per encounter or a continuous set of sheets within the medical record. For those providers using an Electronic Medical Record (EMR), this will be maintained in a patient database.


Patient Encounter form or “Superbill”: This is also commonly called the “charge ticket” and is the form used to record two significant components for each visit–the services provided commonly annotated as a CPT code, and the diagnosis relevant to that encounter (as well if relevant any on going diagnoses) commonly annotated as an ICD 9 code. Additionally, the superbill may include the fee for these services, payments made over the counter by the patient including insurance copayments, adjustments to the fee, and sometimes basic demographic information and insurance billing information.



The superbill is always a paper form since it is designed to be a patient receipt. This form can be a preprinted and hand completed form, or it can be computer generated using data from the practice management and billing system.

The superbill is often a multi-part form. Copies are usually retained by the provider for a number of reasons including as an input document for data entry into the billing system. Superbills usually are not kept as part of the medical record, but filed in a separate filing system.


Payment Receipts: In some cases a provider will issue a receipt to the patient who makes any kind of payment at the time of service.



This receipt is always paper based. It may be as simple as a store bought receipt “book” or a computer generated form created by the practice billing system. Often a copy is maintained in either the receipt book (carbon copy) or in a separate file. If the practice maintains a computerized billing system the receipt and payment data will be maintained as part of the patient “ledger” or accounting record.


Diagnostic Reports: These include results from reference laboratories for blood or tissue pathology, imaging results from radiology or related imaging centers, and other relevant diagnostic reports (for example a written psychological profile from a psychological testing facility). The common denominator is that the provider has requested a diagnostic test or service from a third party and that third party has sent the results to the provider.



Generally, diagnostic reports come in paper format. Sometimes, a provider may integrate prior diagnostic reports into the patient medical record from other providers or earlier encounters not related to the current provider. The formats may include a preprinted form with values (in the case of blood tests), a written report, an X-Ray or other imaging film. Usually paper reports are stored in the medical record, and images are filed separately.  Some providers receive this data digitally and integrate it into their EMR, while others with EMR take paper data and scan it in.


Diagnostic Test Order Form: This is the form used to order a test.



Usually a diagnostic test order is a paper form, often preprinted and supplied by the reference laboratory or imaging facility providing the diagnostic test. In some cases, the form may be completed on line and transmitted to the diagnostic facility. When a provider has an EMR this form may be integrated into the EMR.  For paper-based providers, the order form may or may not actually be retained and integrated into the medical record.


Consultant’s Notes: When a provider refers a patient to another provider for additional consultation, the result is usually a written report that is sent to the originating provider. Sometimes, this may also be a thank you letter from the consultant that includes both appreciation for the referral as well as the result.  Consultant notes may include both providers who “have been referred to” as well as other providers who are concurrently caring for the patient.



Generally, consultant’s notes are paper notes that are filed in the medical record.  In some cases, it may be a copy of the consultant’s own medical record for that referral or an oral record of a telephone or other oral transmission regarding the consultation.


Hospital admission/discharge notes, surgeon’s operative reports and so forth: Depending on the specialty and the case, a provider may maintain copies of hospital admission and discharge notes generated by the provider attending the patient in the facility and produced by the facility and/or surgeon’s operative notes. The latter are a detailed description of the procedure performed by the surgeon or specialist and usually generated by the facility where the procedure was done.



Generally, these notes and reports are paper-based (usually computer generated from a word processing program) that is received by fax or mail. In some cases the note may be emailed as an attached file.  Hospitals are increasingly providing portals to providers for accessing and downloading such information online, in which case it is most often printed and included in the medical record. Providers using an EMR will integrate such notes into the EMR or reference it as an attachment.


Referral and authorization forms: These are the documents that a provider either completes when requesting a consultation or referral from another provider, or they are the authorization forms the provider obtains authorizing their services to the patient. Most often these are necessary for managed care health plans. They contain basic demographic information on the patient such as name and identifying number (social security number or other health plan identification number), often the reason for the referral articulated as text and/or an ICD 9 code, the service authorized articulated as text and/or a CPT code, the time limit for the referral, a code or reference number to include on billing forms, and sometimes reference to the authorizing party (name etc). These forms often include treatment plans and related text information about the requested treatment (referral) or authorized treatment (authorization).



Generally, a paper form that is mailed or faxed to the provider. However, in an increasing number of practices the referral and authorization process is automated via the practice management system or via the health plan’s own portals. Data can be transmitted via email as an attachment or in a more “on line” mode where forms are completed via a web server or other on line portal to the insurer. Such data is stored in email attachments or if the practice has an EMR often integrated into the EMR. If no EMR exists, usually a hard copy is printed and integrated into the medical record.


Denials: Most health plans are obliged to generate a written denial form whenever they deny a referral request. These denials are generally sent to the provider and sometimes in an appended format to the patient. In some cases they will be sent to multiple providers (the primary care provider and the specialist requesting the referral).



Denials are almost always in paper received either by fax or mail. Usually integrated into the medical record. For EMR enabled providers these may be scanned and integrated into the EMR.


Drug record: This is a journal of the prescription or non-prescription drugs/pharmaceuticals/supplements that the patient is taking. Often it is a dynamic record that allows updates and changes. It may also include annotations that reflect prescriptions written or orally transmitted to a pharmacist, refill requests from the patient or pharmacist and so forth.



Generally, drug records a paper form that is in the medical record. In practices with an EMR it will be part of the EMR.


Prescription forms: This is the actual form used to order prescriptions.



Generally, prescription forms are paper forms often preprinted and kept in pads in each exam room or dictation/note kiosk. Some pharmacies or practices have an integrated electronic order system; in these cases, the provider either completes a form and transmits it to the pharmacy or accesses the pharmacy site and completes the form. In the cases of providers with an EMR the prescription forms may be integrated into the medical record; in paper-based systems the provider may or may not keep a copy of the form (most often they do not). However, the issue of patient safety is becoming increasingly important, and one component is drug interactions. This is catalyzing movement away from strictly paper-based systems.


Doctor’s First Report of Injury: In the cases of a patient encounter when the patient has suffered a work related injury, the provider may or may not complete what is known as a “First Report of Injury”. This contains details regarding the injury and resulting prognoses/diagnosis and treatment plan.



Generally, doctor’s reports of injury are paper forms, sometimes preprinted and filled out. It usually is stored in the medical record. It is almost always copied and faxed or mailed to third parties such as the Worker’s Compensation carrier or the employer. Practices that specialize in occupational medicine may or may not utilize an online version of this form where either they complete the form within their system (as a simple word processing document or part of a practice management template) and then transmit to the appropriate party, or they access the third party’s site, complete the form on line.  In practices with an EMR it will be stored as part of the EMR.


Patient Correspondence: This generally includes any written correspondence from or to a patient on any matter related to the provider’s care.



Patient correspondence is paper and stored in the medical record. In recent years this has included email attachments that are received or sent (although if the practice does not have an EMR these usually are printed and stored in the chart).  In practices with an EMR this may be integrated as part of the EMR. Correspondence written using an internal word processor may be attached to the patient EMR, or simply referenced.


Requests for Records: These will come from other providers, health plans, governmental agencies, life insurers, civil or criminal subpoenas and so forth. Generally, the request stipulates what is being requested, by whom and why. Providers are reluctant to release the entire medical record and may also charge a fee for copying records. Requests may include information on the fee being paid.



Almost always requests are in writing on paper since it is important to have a signature on the request from the requesting party. They are stored in the medical record.


Telephone Logs: Your front office and scheduling staff often keep track of telephone calls, or transcribe messages left on voice mail or with the answering service in a “log book”. Typically the log indicates a patient name, phone number and often a reason for calling, such as a health problem.



Paper log books.


Transcribed Notes: When a provider dictates progress notes, consultation reports and related health information, these notes will be transcribed by either an outside transcribing service, or by internal staff (and in certain specialties like radiology, increasingly by a voice recognition system). In either case, the transcribed note will be forwarded to the provider for review and inclusion in the medical record. Some providers are vigilant about careful review of these notes and subsequent modifications as well as signature or initial to indicate review and acceptance. Dictation can also be used for patient or other party communication.



Generally, transcribed notes are produced on paper and forwarded to the physician for review and initialing. Thereafter the note is included in the medical record. In some cases the transcribed note can be emailed or forwarded by intranet to the provider as an electronic file. For those providers using EMR the note will be attached or included in the EMR.


Death Certificates/Autopsy Report: These are official certificate of death and/or autopsy reports. Generally these are standard forms completed by the appropriate governmental party.



Death Certificates and autopsy reports generally come in paper format received by fax or mail and are then included in the medical record. Providers with an EMR may scan such forms and integrate into the EMR.


Medical Malpractice Correspondence: When a provider is named as part of a professional liability action, there will be written correspondence related to the patient and their damages. Correspondence will often be by and between a number of parties such as the provider, his professional liability carrier, plaintiff’s counsel, and other parties.



Generally, medical malpractice correspondences are paper forms received by fax or mail (sometimes email attachments). Usually these included in the medical record, although sometimes a separate file will be made for such proceedings and matters.


Health Plan Correspondence: Occasionally health plans will correspond with providers regarding claims status or inquiry, or in answer to an appeal to modify a payment or authorization decision. Additionally, health plans may correspond with a provider to discuss diagnosis or treatment of a patient.



Generally this correspondence is paper based and received by fax or mail. Usually it is stored in the medical record. Providers using EMR may scan such correspondence and include in the EMR. Sometimes such correspondence is entirely by email–for example if a provider requests claim status on an individual patient or questions a service payment denial or adjustment, and does so via email, the plan may respond by email as well.


Profiling or Quality Data with Individual Identifications: Increasingly health plans are generating profiling data and sharing this data with providers. Such data often includes aggregate information on utilization, costs and quality indicators.  In some cases, the data is “drilled down” to indicate individual patients or cases. This information is not always blinded and may include identifiers such as names or social security numbers.



Almost always a paper report received by mail or in person. Usually this data is kept in a separate file and not integrated into any one medical record or chart.



Patient Satisfaction Surveys: Some practices employ a patient satisfaction survey on a routine or non-routine basis. Sometimes this survey is supplied by the health plan and sometimes it is self-initiated by the provider.



Generally satisfaction surveys are paper forms that are completed by the patient either prior to or after their encounter at the practice location or off-site. Surveys are then mailed or handed to the provider. Some surveys have individual identification and others do not. Surveys may also be done via email as an attachment or online via the provider, health plan or other intermediary portal. Individual survey forms usually are not included in the medical record but may be filed in the aggregate separately or even leave the provider site for a third party.


Patient Questionnaires and Health Risk Assessments: Increasingly, providers are using questionnaires designed to assess risk for a disease or condition, to assess quality of life or in some cases to map patient preferences. Such questionnaires may or may not have individual identification.



Generally, these surveys are paper forms that are completed by the patient either prior or after their encounter at the practice location or off-site. Surveys are then mailed or handed to the provider. Some surveys have individual identification and others do not. Surveys may also be done via email as an attachment or online via the provider, health plan or other intermediary portal. Individual survey forms usually are not included in the medical record but may be filed in the aggregate separately or even leave the provider site for a third party.


Clinical Research Data: Providers who engage in clinical research will maintain a variety of data for the patients who are in clinical trials. In most cases the clinical trial protocols are specific about patient identification and maintaining confidentiality and privacy (for example all participants may be numbered and not identified by name); however, since many trials provide payment for patient participation and most number systems generally reference an indexed list of identities, it is reasonable that this information is PHI. Clinical trial data can include initial health histories, progress notes, pharmacy records, patient self-assessment forms, laboratory or other diagnostic tests and so forth.



Generally clinical research data is kept in both paper and electronic format. The data is usually retained at the practice site participating in the trial and in a separate clinical research file related to the project or study. Data will often be sent or copied either by paper or by electronic means to the research sponsor (this can be a Clinical Research Organization, a pharmaceutical company, an academic institution and so forth).


Claims: Many practices retain copies of the claims generated and submitted to third party payers.



Copies of claims that are retained would always be paper copies. These generally are not part of the patient medical record but are aggregated and kept separately.


Payment remittances/advices/explanation of benefits: Typically a provider will receive the payment from a third party insurer in the form of a check attached to a remittance advice or explanation of benefits. This includes individually identified information regarding the service, date, diagnosis, payment and adjustments to the payment.



This data is generally received in paper format, although for larger insurers with sufficient volume (for example Medicare) the provider may be able to receive the data electronically. The forms are usually filed separately from the medical record.


EDI Reports: When a provider uses electronic claims submission (either via a clearing house or directly to the insurer), they generally create a series of audit reports. These reports may include paper facsimiles of the claim, claim logs, claims error reports and so forth.



These forms may be maintained either in paper format or electronically depending on the preference of the provider as well as the claims submission software. Some of the data is generated by the provider at the time of submission and other data is generated by the clearing house or insurer at time of receipt. Data is usually kept separate from the medical record.


Enrollment and eligibility data: Increasingly, providers are able to obtain enrollment and eligibility data on their patients. Such data typically includes demographics, identification numbers, effective dates, coverage information and so forth.



This data is presented in multiple formats. In some cases it may be an insurer-generated list in either paper or electronic format; in other cases it may be data that is accessed online (and can be printed or reproduced) via an eligibility portal provided by the insurer. In other cases it is accessed via a magnetic swipe card and card reader in the provider location (which can present a LCD display as well as card reader printer receipt).


Remittance Advices: Also known as “Explanation of Benefits” these contain information related to the claim for service that has been submitted. The information contained clearly indicates individually identifiable health information and therefore is Protected Health Information. Often remittance advices are handled by billing staff and clerical (filing) staff.



Usually remittance advices come in paper format, often attached to the payment/check. Some remittances are part of an electronic file that is transmitted to the provider when electronic remittance is available (generally Medicare is the most common carrier to offer electronic remittance).


Electronic medical records: Increasingly, providers are keeping all medical records, even notations, in electronic format on a computer or handheld device.



These records are usually kept as electronic files on the practice computer or system, as well as printed as a paper form and placed in the patient’s file.


Computerized Billing system-patient account ledgers: Most providers use either a computerized billing system, or a patient account ledger to keep track of the billing for each patient. The latter is sometimes referred to as a “pegboard” system. The ledger card contains information on each patient encounter.



If the provider uses a ledger system, then this will appear in paper format, otherwise these files are stored electronically in the computer.


Computerized Billing system patient face sheets: Face sheets are typically a single page with patient demographic information; sometimes they may contain primary diagnosis information. Hospital face sheets also include admission and discharge information.



Stored electronically.


Computerized Billing system patient lists: Providers often keep lists of patients stored on their computer to allow for easy accessing of patient names, numbers, and addresses to allow the office staff to contact each patient with ease when necessary.



These lists are created by the office staff and stored electronically on the computer. However, the office may from time to time print these lists for mailing purposes or for other reference.


Collection agency forms that contain patient information: When providers “send an account to collection” they usually provide the outside collection agency with a patient ledger or other record of services and payments. The collection agency in turn creates an electronic record of the collection activity performed on each account. This information is routinely shared with the practice.



This is generally a paper list or other form that is created by the collection agency and sent to the provider.


Patient billing statements: This is the statement that is generated by most billing systems and mailed to patients. The statement usually is handled internally prior to mailing (it may be reviewed, or simply folded and placed into an envelope). Some practices retain copies of the mailing statement.



This is always a paper form. However some billing systems maintain a “virtual” copy electronically of the statement.


Personal Digital Assistants: An increasing number of physicians and providers are using a PDA device to store information on patients (some hospitals even provide wireless access to medical records using a PDA). The information stored on PDA’s often includes PHI!




Electronically stored information.

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates