HIPAA Compliance for Functional Assessments: What Counts as PHI and How to Share It Safely

Definition of Protected Health Information

Protected Health Information (PHI) is Individually Identifiable Health Information that is created or received by a covered entity or its business associate and relates to an individual’s past, present, or future physical or mental health, the provision of care, or payment for care. PHI can exist in any format—paper, verbal, or electronic (ePHI).

Information becomes “individually identifiable” when it either directly identifies a person or there is a reasonable basis to believe the person could be identified from it. Common identifiers include names, detailed geography, contact details, dates tied to an event, medical record numbers, account numbers, device IDs, full-face photos, and biometric identifiers.

Not all health-related information is PHI. De-identified data is not PHI if identifiers are removed to the HIPAA Safe Harbor standard or an expert has determined the risk of re-identification to be very small. A limited data set excludes most direct identifiers but remains PHI and requires a data use agreement. Employment records held by an employer and student records covered by FERPA are outside HIPAA.

Identifying PHI in Functional Assessments

Functional assessments—such as occupational therapy evaluations, physical therapy measures, behavioral functional assessments, and activities of daily living (ADL) scoring—often combine clinical findings with demographics and narrative notes. When any identifier links those findings to a specific person, the assessment contains PHI.

Common data elements considered PHI in assessments

• Names, dates of birth, addresses below the state level, phone numbers, and emails listed on assessment forms.
• Medical record numbers, payer IDs, claim numbers, and referral or authorization numbers embedded in templates.
• Narrative notes that mention unique life details (e.g., rare job role, small town, distinctive injury timing) that could identify an individual.
• Photos or videos of mobility, gait, handwriting, or speech, especially when the face, voice, tattoos, or surroundings reveal identity.
• Sensor outputs, app screenshots, and device serial numbers gathered during remote or instrumented assessments.

Items that are typically not PHI (use caution)

• Aggregated, de-identified outcome statistics where individuals cannot be singled out.
• Blank test instruments, general scoring rubrics, or training materials without real patient data.
• Case examples with all identifiers removed and small-cell risks addressed; confirm that “any other unique code” is not traceable back to a person.

When in doubt, treat borderline elements as PHI. Small populations, unusual conditions, or rare job settings can turn seemingly anonymous details into Individually Identifiable Health Information.

Permitted Uses and Disclosures of PHI

HIPAA permits certain uses and disclosures of PHI without Written Patient Authorization. The most common are for Treatment, Payment, and Healthcare Operations (often shortened to Treatment Payment Healthcare Operations or TPO).

Disclosures allowed without authorization

• Treatment: Sharing relevant assessment findings with other providers to coordinate care or referrals.
• Payment: Providing necessary portions of assessments to health plans for eligibility, prior authorization, medical necessity, and billing.
• Healthcare operations: Quality improvement, peer review, internal training, auditing, or compliance activities aligned with operations.
• Required by law or for specific public interest purposes: For example, public health reporting, health oversight, certain judicial or administrative proceedings, and workers’ compensation where applicable.
• To the individual (or personal representative): You may provide access to the patient’s own PHI upon request.
• Research under a waiver or as a limited data set with a data use agreement, when applicable.

Psychotherapy notes receive heightened protection and usually require separate authorization, and “marketing” or the sale of PHI have additional restrictions. Always confirm state-specific rules that may be more protective than HIPAA.

Applying the Minimum Necessary Standard

The Minimum Necessary Standard requires you to limit PHI uses, disclosures, and requests to the least amount needed to accomplish the purpose. This standard applies broadly but not to every situation. It does not apply to disclosures to or requests by a provider for treatment, disclosures to the individual, uses or disclosures made pursuant to an authorization, or disclosures required by law.

Putting minimum necessary into practice

• Role-based access: Define who in your team needs which parts of an assessment (e.g., therapists vs. billing staff) and configure systems accordingly.
• Standardized templates: Create versions for clinical coordination, payer submissions, and internal QA so each contains only what that audience needs.
• Targeted redaction: Remove extraneous narrative details, exact addresses, or images when they are not needed for the purpose.
• Data segmentation: Separate identifiers from clinical findings where feasible and use coded references instead of names in internal analyses.
• Verification before disclosure: Confirm the recipient’s identity and right to receive the information and disclose only the requested scope.

Examples

• Payment review: Send functional scores, relevant dates, and therapy frequency, but omit unrelated history or full video files.
• Operations audit: Provide samples with identifiers masked unless a specific identifier is needed to resolve a compliance question.

Safeguarding PHI in Assessments

Effective Security Measures for PHI combine administrative, technical, and physical safeguards. Conducting a Risk Analysis in HIPAA Compliance—and acting on its findings—is central to reducing the likelihood and impact of ePHI breaches.

Administrative safeguards

• Risk analysis and risk management: Identify where PHI lives in your assessment workflow (forms, images, portals, email) and mitigate prioritized risks.
• Policies and procedures: Define how assessments are documented, transmitted, stored, retained, and disposed of, including bring-your-own-device rules.
• Training and sanctions: Teach staff how to recognize PHI in free-text notes, photos, and videos, and enforce consequences for violations.
• Contingency planning: Back up ePHI, test recovery, and document how you will continue assessments during outages.

Technical safeguards

• Access controls and MFA: Issue unique user IDs, enforce strong authentication, and disable dormant accounts.
• Encryption in transit and at rest: Protect files, videos, and sensor data during upload, storage, and sharing.
• Audit controls: Log who accessed assessment records, what was viewed or exported, and when.
• Integrity and transmission protection: Use secure messaging or portals instead of email; if email is used, apply safeguards and avoid identifiers in subject lines.

Physical safeguards

• Secure locations: Lock paper files, recording devices, and removable media; restrict areas where assessments are conducted and stored.
• Device protections: Enable automatic logoff, full-disk encryption, and remote wipe on laptops, tablets, and phones used for assessments.
• Media disposal: Shred paper and securely wipe or destroy media when no longer needed per retention policies.

For telehealth or remote assessments, disable default recordings unless clinically necessary, use unique meeting links, and ensure your vendor offers a Business Associate Agreement before enabling PHI features.

Sharing PHI with Business Associates

A business associate is a vendor or subcontractor that creates, receives, maintains, or transmits PHI on your behalf. Examples include EHR platforms, billing services, cloud storage, dictation or transcription services, telehealth systems, analytics firms, and secure messaging providers.

Business Associate Agreement essentials

• Permitted uses and disclosures: Specify exactly how the vendor may handle PHI and for what purposes.
• Safeguards and compliance: Require administrative, technical, and physical protections aligned with HIPAA.
• Breach reporting: Define timelines and content for incident and breach notifications.
• Subcontractor flow-down: Ensure the vendor binds its subcontractors to the same protections.
• Termination and return/destruction: Clarify how PHI will be returned or destroyed when the relationship ends.

Practical steps when engaging vendors

• Evaluate security posture: Review SOC reports or security summaries and map them to your Risk Analysis in HIPAA Compliance.
• Execute the Business Associate Agreement before sharing PHI; do not upload or transmit assessments until it is signed.
• Apply the Minimum Necessary Standard: Limit data fields, disable unnecessary features, and configure role-based access.
• Monitor and audit: Periodically review access logs, disclosure logs, and vendor performance.

Note: A mere “conduit” that transmits information without persistent storage (e.g., certain carriers) may not be a business associate, but many modern services store data and therefore require a Business Associate Agreement.

Obtaining Patient Authorization for Disclosure

When a use or disclosure is not permitted by HIPAA or falls outside TPO or other specific allowances, you must obtain Written Patient Authorization before sharing PHI. Common scenarios include sending an assessment to an employer, school, attorney, or media outlet; many research uses; marketing communications; and disclosures involving psychotherapy notes or the sale of PHI.

What a valid authorization includes

• Specific description of the information to be disclosed (e.g., “OT functional capacity evaluation dated MM/DD/YYYY, including scores and summary”).
• Who may disclose and who may receive the PHI.
• The purpose of the disclosure or a statement that the individual requests it.
• An expiration date or event.
• Statements about the individual’s right to revoke, the potential for redisclosure by recipients, and any consequences of refusing to sign.
• Signature and date; electronic signatures are acceptable if they reliably identify the signer and meet applicable requirements.

Best practices for authorizations

• Use plain language and separate the authorization from other forms when practical.
• Confirm identity before releasing PHI and verify the recipient’s address or secure channel.
• Honor revocations prospectively and document all disclosures in your tracking process.
• Apply the Minimum Necessary Standard when the authorization’s scope allows discretion.

Key takeaways

• Treat assessment content as PHI whenever it can identify a person or be linked back to them.
• Rely on Treatment Payment Healthcare Operations and other defined allowances where appropriate, but default to minimum necessary.
• Back safeguards with a current Risk Analysis, strong Security Measures for PHI, and solid Business Associate Agreements.
• When in doubt, obtain Written Patient Authorization and document your process.

FAQs.

What information in functional assessments is considered PHI?

Any assessment content that can identify a specific individual—alone or in combination—counts as PHI. This includes names, detailed addresses, dates tied to events, images or videos, medical record or claim numbers, device IDs, and narrative notes that reveal unique facts. Even scores or sensor outputs become PHI when linked to identifiers or reasonably re-identifiable details.

How can PHI be shared without patient authorization?

You may share PHI without authorization for Treatment, Payment, and Healthcare Operations, as well as when required by law or for certain public interest purposes. Apply the Minimum Necessary Standard to payment, operations, and most other disclosures, verify the recipient’s identity and need-to-know, and log what you shared. For vendor sharing, have a signed Business Associate Agreement in place first.

What safeguards are required to protect PHI?

Use a layered approach: administrative safeguards (policies, training, Risk Analysis in HIPAA Compliance, incident response), technical safeguards (access controls, MFA, encryption, audit logs, secure transmission), and physical safeguards (locked storage, device protections, secure disposal). Configure systems and templates so assessment data follows minimum necessary by default.

When is patient authorization required for PHI disclosure?

Authorization is required when a use or disclosure is not otherwise permitted by HIPAA—such as sending an assessment to an employer or school, many research uses without a waiver, most marketing, selling PHI, or disclosing psychotherapy notes. A valid Written Patient Authorization must clearly define the information, parties, purpose, expiration, and revocation rights before you release the PHI.