Are Problem Lists Protected by HIPAA? What Patients and Providers Need to Know

Problem Lists as Protected Health Information

A problem list is the running summary of a patient’s current and historical diagnoses, symptoms, and clinical issues in the medical record. Because it links health conditions to a specific individual, a problem list is typically considered Protected Health Information (PHI) when created, received, maintained, or transmitted by a covered entity or its business associate.

Under the HIPAA Privacy Rule, PHI includes Individually Identifiable Health Information that relates to a person’s past, present, or future physical or mental health, healthcare received, or payment for care. A problem list fits this definition because it directly reflects a person’s health status and is tied to identifiers such as name, medical record number, or contact details.

• When a problem list is held by a covered entity (for example, a provider, health plan, or healthcare clearinghouse) or its business associate, it is PHI and subject to HIPAA’s disclosure restrictions.
• If the same information is de-identified according to HIPAA standards, it is no longer PHI. Details appear below under De-identified Information and HIPAA.
• Uses and disclosures for treatment, payment, and healthcare operations are permitted; other disclosures generally require patient authorization and must follow the minimum necessary standard where applicable.

Definition of Protected Health Information

Protected Health Information is Individually Identifiable Health Information that a covered entity or business associate creates, receives, maintains, or transmits in any form or medium. It must identify the individual (or reasonably allow identification) and relate to health status, care provided, or payment for care. Electronic PHI (ePHI) is PHI in digital form and is subject to the HIPAA Security Rule.

Covered entities and business associates

• Covered entities: healthcare providers who conduct standard transactions electronically, health plans, and healthcare clearinghouses.
• Business associates: vendors or subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity (for example, EHR vendors, billing services, cloud service providers).

A problem list meets the PHI definition because it captures diagnoses and clinical concerns about a particular person and is maintained by a covered entity or its business associate. When stored or transmitted electronically, it becomes ePHI and triggers the Safeguards for Electronic Protected Health Information required by the HIPAA Security Rule.

Patient Rights Under HIPAA

Patients have clear, enforceable rights over problem lists that form part of their designated record set. These rights center on Access to Protected Health Information, accuracy, and control over certain disclosures.

Right of access and copies

• Inspect and obtain a copy: You can access your problem list and receive a copy in the format requested if readily producible (for example, through a patient portal or as a readable electronic file).
• Timeliness: Providers must respond to access requests within 30 days, with one allowable 30-day extension if necessary and documented.
• Fees: Any fee must be reasonable and cost-based (for example, labor for copying and supplies), not a deterrent to access.

Right to request amendment

If you believe your problem list is inaccurate or incomplete, you can request an amendment. Covered entities must act on the request, explain approvals or denials in writing, and link any statements of disagreement to the record so future users see them.

Right to request restrictions and confidential communications

• Restrictions: You may ask a provider or plan to restrict certain uses or disclosures. While most requests can be declined, a provider must agree to restrict disclosure to a health plan for a specific service if you paid in full out-of-pocket.
• Confidential communications: You can request alternative means or locations for communications (for example, sending notices to a different address or email).

Accounting of disclosures

You may request an accounting of certain disclosures of your PHI made in the past six years, excluding most disclosures for treatment, payment, and healthcare operations or those made to you directly.

Security Measures for Protected Health Information

When a problem list is stored or transmitted electronically, the HIPAA Security Rule requires administrative, physical, and technical safeguards to protect its confidentiality, integrity, and availability. These are the core Safeguards for Electronic Protected Health Information.

Administrative safeguards

• Risk analysis and risk management: Identify risks to problem lists across systems and workflows, and implement measures to reduce them to reasonable and appropriate levels.
• Policies, procedures, and training: Establish clear rules for who can create, view, update, or share problem lists, and train the workforce accordingly.
• Contingency planning: Back up systems and test disaster recovery to ensure problem lists remain available during outages.
• Business associate oversight: Execute business associate agreements that require vendors to safeguard problem lists and report incidents.

Physical safeguards

• Facility and device controls: Secure areas with servers or workstations; manage device and media disposal to prevent data leakage from hard drives and portable media.
• Workstation security: Position screens to reduce shoulder-surfing and use automatic screen locks.

Technical safeguards

• Access control: Role-based access, unique user IDs, and automatic logoff to limit who sees or edits problem lists.
• Audit controls: System logs that record who accessed or changed a problem list and when.
• Integrity and authentication: Mechanisms that detect unauthorized alteration and verify user identity (for example, multi-factor authentication).
• Transmission security and encryption: Encrypt ePHI in transit and, where reasonable and appropriate, at rest to reduce breach risk.

Operational practices

• Minimum necessary: For most non-treatment purposes, disclose only the specific elements of the problem list required to accomplish the task.
• Incident response: Investigate potential impermissible uses or disclosures, mitigate harm, and notify affected individuals without unreasonable delay and no later than 60 days if a breach of unsecured PHI occurred.

De-identified Information and HIPAA

Information that has been properly de-identified is not PHI and falls outside HIPAA’s scope. De-identification allows problem list data to be used for analytics, quality improvement, or research with significantly reduced privacy risk.

Two pathways to de-identification

• Safe Harbor: Remove specified direct identifiers (such as name, full-face photos, detailed contact information, and many others) and have no actual knowledge that the remaining data can identify the individual.
• Expert Determination: A qualified expert applies statistical or scientific principles and documents that the risk of re-identification is very small.

Limited data sets

A limited data set is still PHI but excludes direct identifiers; it may include certain dates and some geographic details (for example, city, state, ZIP code). Limited data sets can be disclosed for research, public health, or health care operations under a data use agreement that restricts re-identification and further disclosure.

Exclusions from Protected Health Information

Some information that involves health or appears in a record is not PHI under HIPAA and therefore is not regulated by the HIPAA Privacy Rule.

• Education records: Student health information maintained by a school subject to FERPA is not PHI.
• Employment records: Health information a covered entity holds in its role as an employer (for example, work-related injury files kept by HR) is not PHI.
• De-identified information: Data stripped of identifiers under HIPAA’s de-identification standards is not PHI.
• Consumer-held data outside HIPAA: Health information stored in apps or devices operated by entities that are neither covered entities nor business associates is not PHI under HIPAA (though other federal or state laws may apply).
• Records of decedents beyond 50 years: HIPAA protections end 50 years after an individual’s death.

Compliance Obligations for Covered Entities

To manage problem lists lawfully and securely, covered entities must operationalize both the HIPAA Privacy Rule and the HIPAA Security Rule. The goal is to enable appropriate clinical use while honoring disclosure restrictions and patient rights.

Core program requirements

• Governance: Designate privacy and security officials; approve and maintain written policies and procedures covering problem list lifecycle management.
• Risk analysis and safeguards: Perform an enterprise-wide risk analysis and implement administrative, physical, and technical safeguards proportional to identified risks.
• Workforce management: Train staff on minimum necessary, role-based access, appropriate documentation practices, and breach reporting.
• Business associate management: Execute business associate agreements; assess vendor security; monitor for incident reporting and subcontractor compliance.
• Patient rights operations: Maintain workflows to fulfill Access to Protected Health Information within 30 days, process amendments, log certain disclosures, and honor reasonable requests for confidential communications.
• Authorizations and disclosures: Obtain valid authorizations where required, apply the minimum necessary standard to most non-treatment disclosures, and document decisions consistently.
• Incident response and breach notification: Investigate suspected incidents, perform risk assessments, mitigate harm, notify affected individuals and regulators as required, and retain documentation.
• Documentation and retention: Retain HIPAA-related policies, procedures, and required documentation for at least six years from the date of creation or last effective date.

Key takeaways

• Problem lists are PHI when held by covered entities or their business associates because they contain Individually Identifiable Health Information about diagnoses and clinical issues.
• Patients have robust rights to access and request amendments to their problem lists, and most non-treatment disclosures are subject to minimum necessary limits.
• For ePHI, the HIPAA Security Rule requires layered safeguards—administrative, physical, and technical—to reduce risk.
• Properly de-identified data falls outside HIPAA; a limited data set can support important activities under a data use agreement.
• Strong compliance programs unite privacy and security practices to keep problem lists accurate, accessible, and protected.

FAQs.

Are problem lists always considered protected health information?

Yes, when a problem list can identify a specific person and is created, received, maintained, or transmitted by a covered entity or its business associate, it is PHI. If it is de-identified under HIPAA standards, or if the information is held solely by an entity that is neither a covered entity nor a business associate, it is not PHI under HIPAA.

What rights do patients have regarding their problem lists under HIPAA?

You may inspect and obtain a copy of your problem list, usually within 30 days of a request, request an amendment to correct or clarify entries, ask for certain restrictions on disclosures, request confidential communications, and obtain an accounting of certain disclosures.

How must providers secure problem lists under HIPAA?

Providers must apply administrative, physical, and technical safeguards appropriate to their risks. Practical measures include role-based access controls, unique user IDs, multi-factor authentication, automatic logoff, encryption in transit and, where reasonable and appropriate, at rest, ongoing workforce training, vendor oversight, and active audit logging with incident response procedures.

When is health information considered de-identified and not protected by HIPAA?

Information is de-identified when it either (1) removes specified direct identifiers under the Safe Harbor method and the entity has no actual knowledge of re-identification risk, or (2) a qualified expert documents that the risk of re-identification is very small using statistical or scientific principles. De-identified data is not PHI and is not subject to HIPAA.