What is Considered PHI Under HIPAA?
In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA?
What is Considered PHI Under HIPAA Rules?
Under HIPAA PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services.
It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information.
Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual HIPAA identifiers. Demographic information is also considered PHI under HIPAA Rules, as are many common identifiers such as patient names, Social Security numbers, Driver’s license numbers, insurance details, and birth dates, that when they are linked with health information become HIPAA identifiers.
The 18 HIPAA identifiers that make health information PHI are:
- Dates, except year
- Telephone numbers
- Geographic data
- FAX numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Any unique identifying number or code
One or more of these HIPAA identifiers turns health information into PHI, and PHI HIPAA Privacy Rule restrictions will then apply which limit uses and disclosures of the information. HIPAA covered entities and their business associates will also need to ensure appropriate technical, physical, and administrative safeguards are implemented to ensure the confidentiality, integrity, and availability of PHI as stipulated in the HIPAA Security Rule.
When is PHI not PHI?
There is a common misconception that all health information is considered PHI under HIPAA, but there are some exceptions.
First, it depends who records the information. A good example would be health trackers – either physical devices worn on the body or apps on mobile phones. These devices can record health information such as heart rate or blood pressure, which would be considered PHI under HIPAA Rules if the information was recorded by a healthcare provider or was used by a health plan.
However, HIPAA only applies to HIPAA-covered entities and their business associates, so if the device manufacturer or app developer has not been contracted by a HIPAA -covered entity or a business associate, the information recorded would not be considered PHI under HIPAA.
The same applies to education or employment records. A hospital may hold data on its employees, which can include some health information – allergies or blood type for instance – but HIPAA does not apply to employment records, and neither education records.
Under HIPAA, PHI ceases to be PHI if it is stripped of all identifiers that can tie the information to an individual. If the above identifiers are removed the health information is referred to as de-identified PHI. For de-identified PHI, HIPAA Rules no longer apply.
The complexity of determining if information is considered PHI implies that both medical and non-medical administrative staff also need to receive HIPAA training in the definition of PHI.
What is Considered PHI Under HIPAA FAQs
What is the difference between PHI and ePHI?
The different between PHI and ePHI is that ePHI refers to Protected Health Information that is created, used, shared, or stored electronically – for example on an Electronic Health Record, in the content of an email, or in a cloud database. Both PHI and ePHI are subject to the same protections under the HIPAA Privacy Rule, while the HIPAA Security Rule and the HITECH Act mostly relate to ePHI.
Does the Privacy Rule apply to both paper and electronic health information?
Due to the language used in the original Health Insurance Portability and Accountability Act, there is a misconception that HIPAA only applies to electronic health records. While the protection of electronic health records was addressed in the HIPAA Security Rule, the Privacy Rule applies to all types of health information regardless of whether it is stored on paper or electronically, or communicated orally.
If an individual calls a dental surgery to make an appointment and leaves their name and telephone number, is that PHI?
No, because although names and telephone numbers are individual identifiers, at the time the individual calls the dental surgery there is no health information associated with them. Only once the individual undergoes treatment, and their name and telephone number are added to the treatment record, does that information become Protect Health Information.
How can future health information about medical conditions be considered “protected”?
Future health information can include prognoses, treatment plans, and rehabilitation plans that – if altered, deleted, or accessed without authorization – could have significant implications for a patient. For this reason, future health information must be protected in the same way as past or present health information.
Does the Privacy Rule apply when medical professionals are discussing a patient´s healthcare?
Although PHI can be shared without authorization for the provision of treatment, when medical professionals discuss a patient´s healthcare, it must be done in private (i.e. not within earshot of the general public) and the Minimum Necessary Standard applies – the rule that limits the sharing of PHI to the minimum necessary to accomplish the intended purpose.
If a medical professional discusses a patient´s treatment with the patient´s employer, is that information protected?
That depends on the circumstances. Usually a patient will have to give their consent for a medical professional to discuss their treatment with an employer; and unless the discussion concerns payment for treatment or the employer is acting as an intermediary between the patient and a health plan, it is not a HIPAA-covered transaction. However, while not PHI, the employer may be required to keep the nature of the discussion confidential under other federal or state laws (i.e. ADA, FCRA, etc.).