I see a great deal of variation from organization to organization on what constitutes PHI in the digital realm. I have several scenarios that I'd like your thought on:
- Is public website browsing behavior considered PHI as is suggested in the current Winston Smith V. Facebook case (http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=2175&context=historical)? This could impact a number of common services used by covered entities - for example, if the answer is yes then this suggests that healthcare organizations should have BAAs in place when using Google Analytics? Is this answer different if the individually identifiable component is an IP address rather than a confirmed individual identity?
- When a consumer signs up for a class, information session, support group, etc. held by the covered entity, is that information PHI? I've heard CEs argue that any such signup is PHI while others argue that signing up for a "Living with Cancer" support group would not constitute PHI.
- When one individual submits information online that suggests the health status of another individual, is that considered PHI? For example, an online "get well soon" card.