What counts as PHI?

This is a follow-up question to the answer you provided about faxing and HIPAA. I work in a medical setting that is covered by two different federal statutes (HIPAA, and 42CFR Part 2; the Confidentiality of Drug Treatment Records) I am being told we cannot use any part of the patient’s name or date of birth on our fax covers. This is something new and seems counter-intuitive especially when communicating with other medical/specialist offices where patients have been or are being referred for services. Is there any way to determine if this is a appropriate privacy practice or just an overreaction due to a lack of understanding of how these two statutes regulate PHI. I realize this may be a matter in need of a legal opinion, but I thought I’d throw it out there. Thanks.


While that response to HIPAA does seem a little extreme, the truth is that it probably isn’t an overreaction. I’ve previously covered the fact that — on their own, anyway — patient’s name and date of birth don’t count as Protected Health Information (PHI). That should mean that you’re okay to include that information on a fax cover sheet. However, if your fax cover sheet identifies you or your organization in any way, you have linked your patient to you. That does violate HIPAA and 42CFR.

It is possible to include a patient’s name and date of birth on a fax cover sheet, but you would need to have the patient release their records to you in writing first, and that might be an additional step your organization would like to avoid. It’s not ideal, but the Stanford Office of Audit, Compliance, and Privacy recommends that faxes containing sensitive information only include the following on their cover letters: 1) The sender’s name, organization, phone and fax number; 2) Date/time the fax was sent; 3) Number of faxed pages (including the cover sheet; 4. The recipient’s name, organization, fax and phone number; 5) Instructions for if the fax is received by the wrong person; 6) Contact information if something goes wrong; 7) A confidentiality notice.

I’m in favor of this model, as it errs on the side of caution. It has extensive information about you and whatever organization you’re faxing. It covers your bases if the fax is received by an unintended third party. And it’s clear about the need for confidentiality. By leaving the patient’s name off the cover sheet, it might create some short-term confusion, but it’s better than the alternative.

Do you have a question about faxing? Send me your fax question.