OPS-SOP-032 — PHI Access Controls & Redaction Protocol
1. Purpose & Scope
This SOP establishes access controls for Protected Health Information (PHI) and the redaction protocol that must be applied before sharing any claims data or health-related reports externally. It implements the HIPAA Minimum Necessary Standard, which requires that PHI be accessed, used, and disclosed only to the extent necessary to accomplish the intended purpose.
This SOP applies to all staff, contractors, and vendors of Unity Care Solutions who access, handle, process, or transmit PHI on behalf of the Unity Care Member Plan Master Trust. Compliance is mandatory. Violations may result in disciplinary action and HIPAA breach notification obligations.
HIPAA Minimum Necessary Standard (45 CFR § 164.502(b)): When using or disclosing PHI or requesting PHI from another covered entity, Unity Care must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose.
2. What Constitutes PHI
PHI is any individually identifiable health information that relates to a person's past, present, or future physical or mental health condition, the provision of health care to that person, or the past, present, or future payment for health care. PHI includes the following identifiers when combined with health information:
- Member names and initials
- Dates of birth, admission, discharge, or death
- Social Security Numbers (SSNs)
- Member IDs and plan enrollment numbers
- Geographic data more specific than state (zip codes, addresses)
- Phone numbers, fax numbers, email addresses
- Diagnosis codes (ICD-10), procedure codes, drug codes when linked to an individual
- Claims data, Explanation of Benefits (EOBs), or any record linking a person to a health service or cost
3. Authorized PHI Access — Roles & Scope
| Role / Party | Authorized Access Scope | BAA Required? | Notes |
|---|
| Operations | Full PHI access for claims processing, member eligibility verification, and plan administration | N/A (workforce) | Minimum necessary applies to each specific task |
| Finance | Minimum necessary PHI for billing reconciliation and premium collection. Aggregate claims totals preferred; individual-level PHI only when reconciliation requires it. | N/A (workforce) | Finance staff must not access individual health/diagnosis data unless specifically required |
| Legal Counsel (Dickinson Wright) | PHI relevant to specific legal matters, litigation, compliance review, or regulatory response | Required — confirm BAA on file before sharing | Share only PHI directly relevant to the legal matter at hand |
| Gradient AI | Claims and health data for risk screening purposes only (per BAA scope) | Required — CRITICAL: BAA not yet executed as of this writing | DO NOT share PHI with Gradient AI until BAA is executed (see OPS-SOP-033) |
| Allied Benefit Systems | Full PHI access for TPA functions (claims adjudication, eligibility, enrollment) | Required — BAA on file ✔ | Verify BAA is current annually |
| Davies Actuarial | De-identified or aggregated claims data for actuarial analysis; individual-level data only when required for specific analysis | Required — confirm BAA on file | Request de-identified datasets wherever possible |
| Employer Plan Administrators | Limited to their own employees' plan information; may not access other employers' member PHI | Plan document provisions apply; HIPAA wall between employer HR and health plan data | Do not provide individual-level claims data to employer HR without specific legal basis |
No other party is authorized to access PHI unless specifically added to this table by the Operations Director with Legal Counsel review and a confirmed executed BAA. Any vendor, consultant, or contractor requesting PHI access who is not listed here must first be evaluated under the BAA process (OPS-SOP-033).
4. PHI — Prohibited Actions
The following actions are strictly prohibited for all staff and contractors:
| Prohibited Action | Why Prohibited |
|---|
| Emailing PHI in unencrypted form | Unencrypted email is not a secure transmission method under the HIPAA Security Rule. Constitutes a potential breach. |
| Storing PHI on personal cloud drives (personal Google Drive, personal Dropbox, iCloud, etc.) | Personal drives are not covered by Unity Care's security controls and BAAs. Creates uncontrolled PHI disclosure. |
| Sharing PHI with any vendor or third party that does not have an executed BAA | HIPAA violation. May require breach notification. See OPS-SOP-033 for BAA registry. |
| Including unredacted member names, SSNs, DOBs, or member IDs in meeting notes, presentations, or documents distributed externally | External distribution of identifiable PHI without authorization constitutes a disclosure requiring authorization or applicable exception. |
| Printing PHI without a legitimate, documented business need and secure physical handling plan | Physical PHI is subject to the same protections as electronic PHI; unsecured physical copies create breach risk. |
| Discussing individual member health or claims information in non-private settings (open offices, calls where unauthorized parties are present) | Verbal disclosures of PHI are subject to HIPAA. Use private settings for PHI discussions. |
5. Redaction Protocol — Before External Sharing
Before sharing any claims data, utilization reports, or health-related documents with any external party (including employers, brokers, reinsurance carriers, actuaries, or regulators), the following redaction protocol must be applied:
Step 1Determine Whether Aggregated Data Suffices
Evaluate whether the external party's legitimate purpose can be met with aggregated, de-identified data (e.g., group-level PMPM, claim count by category, total spend by service type). Use aggregated data wherever possible. Individual-level data should only be shared when strictly necessary and within BAA scope.
Step 2Identify PHI Elements in the Document
Review the document or dataset for all 18 HIPAA identifiers. At minimum, check for: member names, DOBs, SSNs, member IDs, addresses/zip codes, phone numbers, diagnosis codes linked to individuals, and procedure codes linked to individuals.
Step 3Redact or Replace Identifiers
- Member names → Replace with "Member [#]" or remove entirely
- DOBs → Replace with age band (e.g., "Age 45-54") or remove
- SSNs → Remove entirely (never needed externally)
- Member IDs → Replace with an internal tracking number or remove
- Zip codes (if 5-digit) → Truncate to first 3 digits if population < 20,000; otherwise retain
- Diagnosis/procedure codes linked to individuals → Aggregate to category level or remove
Step 4Verify Redaction Completeness
A second Operations team member (or the Operations Director for sensitive reports) reviews the redacted document to confirm all identifiers have been removed. The reviewer signs off in the document log before distribution.
Step 5Transmit via Secure Channel Only
Redacted documents must still be transmitted via secure methods (encrypted email, secure file transfer portal, or platform provided under BAA). Document the date, recipient, transmission method, and document name in the distribution log.
6. PHI Storage Location
TBD — Action Required: Operations Director and IT/Legal (Dickinson Wright) to confirm the designated PHI-secure electronic storage system. The system must meet HIPAA Security Rule requirements: access controls with unique user authentication, encryption at rest and in transit, automatic logoff, audit logs of access and modifications, and disaster recovery capability. Until a system is formally confirmed, all PHI must be stored in the most secure system currently available, with access restricted to authorized Operations staff only.
Interim requirements until formal system is confirmed:
- PHI files must be stored in a folder/directory with access restricted to named authorized users only
- No PHI files on shared drives accessible to all staff
- No PHI files on personal devices or personal cloud accounts
- Access log must be manually maintained until automated audit logging is in place
7. Breach Response — Initial Steps
If a potential PHI breach is identified (unauthorized access, disclosure, loss, or theft of PHI), the following immediate steps apply. Full breach response process is governed by OPS-SOP-033 — BAA Registry & Breach Response.
Step 1Immediate Notification to Operations Director
Any staff member who discovers or suspects a PHI breach must notify the Operations Director immediately — the same business day. Do not wait to investigate before notifying. Early notification is critical to preserve notification deadlines.
Step 2Notify Legal Counsel Within 24 Hours
Operations Director notifies Legal Counsel (Dickinson Wright PLLC) within 24 hours of discovery. Legal Counsel advises on breach assessment, notification obligations, and regulatory reporting.
Step 3HHS Notification if 500+ Members Affected
If the breach affects 500 or more members, HHS must be notified within 60 days of discovery of the breach. If 500 or more members in a single state are affected, media notification in that state is also required. See OPS-SOP-033 for the full breach response process.
HIPAA Breach Notification Rule (45 CFR §§ 164.400-414): A breach is presumed to require notification unless Unity Care can demonstrate through a four-factor risk assessment that there is a low probability that PHI was compromised. The burden of proof is on Unity Care. When in doubt — notify.
8. Training & Acknowledgment
All staff and contractors with access to PHI must:
- Complete HIPAA training upon hire and annually thereafter
- Sign a PHI Confidentiality Acknowledgment upon hire and upon any material update to this SOP
- Acknowledge receipt and understanding of this SOP
Operations maintains training completion records. Vendors accessing PHI under BAA are responsible for ensuring their own workforce training compliance.