Is Patient Satisfaction Data HIPAA-Protected? What Counts as PHI and How to Protect It

Patient Satisfaction Data and HIPAA

When patient satisfaction data is HIPAA-protected

Patient satisfaction data is HIPAA-protected when it includes individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associate. If a survey response can reasonably identify a patient and relates to the individual’s care, condition, or payment, it is protected health information (PHI).

When patient satisfaction data is not HIPAA-protected

Aggregated, anonymized results that cannot identify a person are not PHI. De-identified data—properly stripped of identifiers—can be used for benchmarking or public reporting without triggering HIPAA obligations. However, any link back to a medical encounter or small-cell details that could re-identify individuals brings the dataset back into PHI territory.

Common survey scenarios

• Post-visit email or SMS surveys sent by a vendor under a BAA: PHI is involved; treat as HIPAA data.
• Public star ratings or testimonials that name a patient or reveal treatment context: PHI unless you have written authorization.
• Internal dashboards with unit-level scores and tiny sample sizes: potentially re-identifiable; apply suppression rules.

Definition of PHI

PHI is a subset of individually identifiable health information held by a covered entity or business associate that relates to an individual’s past, present, or future physical or mental health, the provision of care, or payment for care. PHI is protected in any form—oral, paper, or electronic.

Two elements must both be present: the information must identify the individual (or offer a reasonable basis to do so), and it must concern health, care delivery, or payment. Satisfaction responses tied to a visit, provider, or bill typically meet both criteria.

Identifiers Constituting PHI

Under HIPAA’s “Safe Harbor,” the following identifiers make data identifiable if present alongside health-related details:

• Names
• Geographic subdivisions smaller than a state (e.g., street address, city, ZIP code with certain exceptions)
• All elements of dates (except year) directly related to an individual (e.g., birth, admission, discharge, death); ages over 89 must be aggregated
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (e.g., fingerprints, voiceprints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

De-Identification of PHI

Safe Harbor method

Remove all 18 identifiers listed above and ensure you have no actual knowledge that remaining information could identify the individual. For satisfaction data, also eliminate free-text comments that might reveal identity, then publish only sufficiently large aggregates.

Expert Determination method

A qualified expert applies statistical and scientific principles to determine that the risk of re-identification is very small. For surveys, this often includes cell suppression, generalization (e.g., broader age bands), and perturbation. Maintain written documentation of the expert’s analysis.

Limited Data Set

A limited data set allows certain fields (e.g., dates, limited geography) for research, public health, or operations under a Data Use Agreement. It remains PHI and is not de-identified data, but it reduces re-identification risk while enabling analysis.

Practical tips for survey de-identification

• Suppress or combine categories with small counts (e.g., fewer than 11 responses).
• Strip or review free-text to remove names, locations, or treatment clues.
• Publish only aggregated unit or service-line results with sufficient sample size.
• Randomly round or bin sensitive metrics to prevent linkage attacks.

Protecting PHI

Administrative safeguards

• Conduct a documented risk analysis specific to satisfaction processes and systems.
• Adopt policies for minimum necessary use, data retention, and disposal.
• Train staff and vendors on privacy, sanctioned uses, and incident reporting.
• Execute Business Associate Agreements (BAAs) with survey vendors and analytics partners.
• Designate privacy and security officers and test your incident response plan.

Physical safeguards

• Secure facilities and workstations; restrict access to areas where PHI is handled.
• Control devices and media that store survey exports; track movement and disposal.
• Lock file storage and use shredding or certified destruction for paper artifacts.

Technical safeguards

• Enforce role-based access, unique user IDs, MFA, and automatic logoff.
• Encrypt PHI in transit and at rest, including backups and exports.
• Enable audit logs, integrity monitoring, and anomaly detection for survey platforms.
• Segment environments; never mix production PHI with unsecured test data.

Operational considerations for surveys

• Use secure data pipelines from EHR/registration systems to survey tools.
• Verify opt-outs and communication preferences before outreach.
• Avoid disclosing PHI in public responses to online reviews; move the conversation offline.

HIPAA Compliance Requirements

Privacy Rule

You may use PHI for health care operations, which includes quality assessment and patient satisfaction, without patient authorization—if you limit access to the minimum necessary and keep it internal or with a business associate under a BAA. Any external marketing or public testimonial that identifies a patient requires written authorization.

Security Rule

Implement administrative, physical, and technical safeguards proportionate to risk. For patient satisfaction systems, that means hardening endpoints, securing integrations, and continuously monitoring access to reduce exposure of survey responses.

Breach Notification Rule

If unsecured PHI is impermissibly accessed, used, or disclosed, assess the probability of compromise. When a breach is confirmed, notify affected individuals without unreasonable delay and no later than 60 days after discovery, and follow required reporting thresholds for regulators and, when applicable, the media.

Documentation and oversight

• Maintain policies, risk analyses, vendor due diligence, and training records.
• Map data flows for satisfaction outreach, reporting, and archival.
• Review BAAs annually and test contingency plans for system outages.

Risks of Unauthorized Disclosure

Common failure points

• Misdirected messages or attachments containing raw survey exports.
• Publishing unit-level dashboards with small cells that re-identify patients.
• Free-text comments revealing names, diagnoses, or locations.
• Responding publicly to reviews with treatment or visit details.
• Unvetted vendors lacking sufficient safeguards or a BAA.

Consequences

• Regulatory enforcement with tiered civil monetary penalties and corrective action plans.
• Criminal charges in cases of intentional misuse, up to imprisonment for egregious offenses.
• Contractual liability for BAA violations and costly incident response.
• Reputational damage, patient distrust, and operational disruption.

FAQs

What constitutes PHI under HIPAA?

PHI is individually identifiable health information held by a covered entity or business associate that relates to health status, care provision, or payment. It includes any data that identifies a person (directly or indirectly) in connection with health-related details, regardless of format.

How is patient satisfaction data classified under HIPAA?

It is PHI when responses can identify a patient and are linked to a health encounter, provider, or billing context. If you properly remove identifiers and prevent re-identification—producing de-identified data—aggregate satisfaction metrics fall outside HIPAA.

What methods are used to de-identify PHI?

Two are recognized: Safe Harbor, which removes 18 identifiers with no residual knowledge of identity, and Expert Determination, in which a qualified expert documents that re-identification risk is very small using statistical techniques such as suppression and generalization.

What penalties exist for unauthorized PHI disclosure?

Penalties range from corrective action plans and tiered civil monetary fines to criminal charges for intentional misuse. Organizations may also face breach notifications, regulatory oversight, contractual damages, and reputational harm that can significantly exceed direct fines.