What is Considered PHI Under HIPAA?

Under HIPAA PHI is considered to be an individual’s health, treatment, and payment information, and any further information maintained in the same designated record set that could identify the individual or be used with other information in the record set to identify the individual.

This article aims to provide you with the full and correct definition of PHI. HIPAA rules and regulations are substantially about protecting PHI and we recommend you use our PHI Guide & Checklist to understand what is required for the protection of PHI.

What Is Considered PHI Under HIPAA Rules?

PHI is defined as different things by different sources. Some wrongly define PHI as patient health data (it isn´t) whereas others believe it is defined from the 18 HIPAA identifiers (it´s not those either).

To best explain what is really considered PHI under HIPAA compliance rules, it is necessary to review the definitions section of the Administrative Simplification Regulations (§160.103) starting with health information.

According to this section, health information means any information, including genetic information, whether oral or recorded in any form or medium, that:

“Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”

From here, we need to progress to the definition of individually identifiable health information which states “individually identifiable health information […] is a subset of health information, including demographic information collected from an individual [that] is created or received by a health care provider, health plan, employer, or health care clearinghouse […] and that identifies the individual or […] can be used to identify the individual.”

Finally, we move onto the definition of protected health information, which states “protected health information means individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”.

More about what is Considered PHI under HIPAA

To simplify a definition of what is considered PHI under HIPAA: health information is any information relating a patient´s condition, the past, present, or future provision of healthcare, or payment thereof. It becomes individually identifiable health information when identifiers are included in the same designated record set, and it becomes protected when it is transmitted or maintained in any form (by a covered entity).

Generally, HIPAA covered entities are limited to health plans, health care clearinghouses, and qualifying healthcare providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards. The standards can be found in Subparts I to S of the HIPAA Administrative Data Standards. In the context of what is considered PHI under HIPAA for qualifying healthcare providers:

• “A broken leg” is health information.
• “Mr. Jones has a broken leg” is individually identifiable health information.
• If a covered entity records “Mr. Jones has a broken leg” the identifier (“Mr. Jones”) and the health information (“broken leg”) is protected.

Where do Business Associates Enter the Equation?

As well as covered entities having to understand what is considered PHI under HIPAA, it is also important that business associates are aware of how PHI is defined. This is because any individually identifiable health information created, received, maintained, or transmitted by a business associate in the provision of a service for or on behalf of a covered entity is also protected.

Business associates are required to comply with the Security and Breach Notification Rules when providing a service to or on behalf of a covered entity. However, depending on the nature of service being provided, business associates may also need to comply with parts of the Administrative Requirements and the Privacy Rule depending on the content of the Business Associate Agreement.

What is a Designated Record Set?

A designated record set is defined in 45 CFR §164.501 as “a group of records maintained by or for a covered entity that is the medical records and billing records about individuals […] used, in whole or in part, by or for the covered entity to make decisions about individuals”. The standard goes on – “the term record means any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by or for a covered entity”.

There are two things to take away from this definition. The first is that a single item of PHI can be a designated record set – as can an individual´s entire medical history containing multiple items of PHI. This means, for example, that a picture of a newborn baby sent to a pediatrician’s office is a designated record set containing a single item of PHI because the image identifies an individual who – by implication – has been the past recipient of medical treatment.

The second take away is that, as the privacy of PHI has to be protected from unauthorized access and impermissible disclosures, any identifying information about an individual that is not health or payment information, but that is included in the same designated record set, must also be protected. For example, a thank you card accompanying the baby picture that includes the name of the baby also has to be protected even though it does not include health or payment information.

Permissible Uses and Disclosures of PHI

One reason it is important to know what is considered PHI under HIPAA is that the HIPAA Privacy Rule stipulates what uses and disclosure of PHI are required, permissible, or need a written authorization from the subject of the PHI. If a covered entity – or a member of a covered entity’s workforce – does not know what is considered PHI under HIPAA, the potential exists for multiple violations of HIPAA and/or breaches of unsecured PHI which result in complaints to – or fines from – HHS’ Office for Civil Rights.

Conversely, if a covered entity chooses to mitigate the risks of a HIPAA violation or breach of unsecured PHI by locking down every item of information, this could disrupt operational workflows. An example of a covered entity locking down too much information is if information required to accommodate transport arrangement is secured behind access controls that prevent transportation staff getting access to the information that they need to do their jobs.

By understanding what is considered PHI under HIPAA and what isn´t, covered entities can develop HIPAA-compliant policies and procedures – and train members of the workforce on the policies and procedures – that protect the privacy of PHI and ensure the confidentiality, integrity, and availability of electronic PHI without disrupting operational workflows. Covered entities that fail to understand what is considered PHI under HIPAA should seek professional compliance advice.

PHI and Individuals’ Privacy Rule Rights

A second reason it is important to know what is considered PHI under HIPAA – particularly with regard to designated record sets – is that individuals have the right to request copies of their PHI and the right to request amendments if their PHI is inaccurate or incomplete. To comply with access and correction requests – and requests for an Accounting of Disclosures – covered entities need to know where PHI is maintained and when PHI is duplicated across multiple designated records sets.

The failure to provide a copy of PHI, provide a copy within the stipulated timeframe (currently 30 days – soon to be reduced to 15 days), or produce a complete Accounting of Disclosures could attract the attention of HHS´ Office for Civil Rights if a patient or plan member makes a complaint. If the basis of the complaint is that a covered entity does not understand what is considered PHI under HIPAA, this will likely lead to an organization-wide HIPAA compliance inspection – which may not only be disruptive, but potentially expensive if HHS’ inspectors uncover multiple HIPAA violations.

When is PHI not PHI?

There is a common misconception that all health information is considered PHI under HIPAA, but this is not the case.

First, it depends on whether an identifier is included in the same designated record set. Under HIPAA, PHI ceases to be PHI if it is stripped of all identifiers that can tie the information to an individual. If identifiers are removed, the health information is referred to as de-identified PHI. HIPAA does not apply to de-identified PHI, and the information can be used or disclosed without violating any HIPAA Rules.

Health information is also not PHI when it is created, received, maintained, or transmitted by an entity not subject to the HIPAA Rules. For example, even though schools and colleges may have medical facilities, health information relating to students at public schools is covered by the Family Educational Rights and Privacy Act (FERPA) which classifies students´ health information as part of their educational records.

Health information maintained by employers as part of an employee´s employment record is not considered PHI under HIPAA. However, employers that administer a self-funded health plan with more than fifty members do have to meet certain requirements with regards to keeping employment records separate from health plan records in order to avoid impermissible disclosures of PHI.

It is important to be aware that exceptions to these examples exist. One of the most complicated examples relates to developers, vendors, and service providers for personal health devices that create, collect, maintain, or transmit health information. Entities in the personal health device sector are not covered entities or business associates under HIPAA unless they are contracted to provide a service for or on behalf of a covered entity or business associate.

However, entities in the personal health device sector are required to comply with the Breach Notification Rule under Section 5 of the Federal Trade Commission Act if a breach of unsecured PHI occurs. This means that, although entities in the personal health device sector do not have to comply with the Privacy and Security Rules, it is necessary for these entities to know what is considered PHI under HIPAA in order to comply with the Breach Notification Rule.

The complexity of determining if information is considered PHI under HIPAA implies that both medical and non-medical workforce members should receive HIPAA training on the definition of PHI. It is also important for all members of the workforce to know which standards apply when state laws offer greater protections to PHI or have more individual rights than HIPAA, as these laws will preempt HIPAA.

What is Considered PHI Under HIPAA FAQs

What are the 18 HIPAA Identifiers?

The 18 HIPAA identifiers are the identifiers that must be removed from a designated record set before any remaining health information is considered to be de-identified under the “safe harbor” method of de-identification (see §164.514). However, due to the age of the list, it is no longer a reliable guide. Since the list was first published in 1999, there are now many more ways to identify an individual,

If, for example, a Covered Entity removes all the listed 18 HIPAA identifiers from a designated record set, the subject of the health information might be able to be identified through other identifiers not included on the list such as social media aliases, LBGTQ statuses, details about an emotional support animal, etc. To prevent violations of HIPAA, Covered Entities must ensure no further identifiers remain in a record set before disclosing de-identified health information to a third party (i.e., to researchers).

Also, because the list of 18 HIPAA identifiers is more than two decades out of date, the list should not be used to explain what is considered PHI under HIPAA – notwithstanding that any of these identifiers maintained separately from individually identifiable health information are not PHI in most circumstances and do not assume the Privacy Rule protections.

What is PHI under HIPAA?

PHI under HIPAA is individually identifiable health information that is collected or maintained by an organization that qualifies as a HIPAA Covered Entity or Business Associate. As well as health information, any non-health information maintained in the same designated record set that identifies – or could be used with other information to identify – the subject of the health information is also PHI under HIPAA.

What does PHI include?

PHI includes information about an individual´s physical or mental health condition, the treatment of that condition, or the payment for the treatment. PHI also includes any information maintained in the same record set that identifies – or that could be used to identify – the subject of the health, treatment, or payment information.

What are examples of PHI?

Examples of PHI include test results, x-rays, scans, physician’s notes, diagnoses, treatments, eligibility approvals, claims, and remittances. When combined with this information, PHI also includes names, phone numbers, email addresses, Medicare Beneficiary Numbers, biometric identifiers, emotional support animals, and any other identifying information.

Which format of PHI records is covered by HIPAA?

All formats of PHI records are covered by HIPAA. These include (but are not limited to) spoken PHI, PHI written on paper, electronic PHI, and physical or digital images that could identify the subject of health information. It is important to remember that PHI records are only covered by HIPAA when they are in the possession of a covered entity or business associate.

What is the difference between PHI and ePHI?

The different between PHI and ePHI is that ePHI refers to Protected Health Information that is created, used, shared, or stored electronically – for example on an Electronic Health Record, in the content of an email, or in a cloud database. Both PHI and ePHI are subject to the same protections under the HIPAA Privacy Rule, while the HIPAA Security Rule mostly relates to ePHI.

Does the Privacy Rule apply to both paper and electronic health information?

The Privacy Rule applies to both paper and electronic health information despite the language used in the original Health Insurance Portability and Accountability Act leading to a misconception that HIPAA only applies to electronic health records. While the protection of electronic health records was addressed in the HIPAA Security Rule, the Privacy Rule applies to all types of health information regardless of whether it is stored on paper or electronically, or communicated orally.

If an individual calls a dental surgery to make an appointment and leaves their name and telephone number, is that PHI?

If an individual calls a dental surgery to make an appointment and leaves their name and telephone number, the name and telephone number are not PHI at that time because there is no health information associated with them. Only once the individual undergoes treatment, and their name and telephone number are added to the treatment record, does that information become Protected Health Information.

How can future health information about medical conditions be considered “protected”?

Future health information about medical conditions can be considered protected if it includes prognoses, treatment plans, and rehabilitation plans that – if altered, deleted, or accessed without authorization – could have significant implications for a patient. For this reason, future health information must be protected in the same way as past or present health information.

Does the Privacy Rule apply when medical professionals are discussing a patient´s healthcare?

The Privacy Rule does apply when medical professionals are discussing a patient’s healthcare because, although PHI can be shared without authorization for the provision of treatment, when medical professionals discuss a patient´s healthcare, it must be done in private (i.e. not within earshot of the general public) and the Minimum Necessary Standard applies – the rule that limits the sharing of PHI to the minimum necessary to accomplish the intended purpose.

If a medical professional discusses a patient´s treatment with the patient´s employer, is that information protected?

If a medical professional discusses a patient’s treatment with the patient’s employer whether or not the information is protected depends on the circumstances. Usually, a patient will have to give their consent for a medical professional to discuss their treatment with an employer unless the discussion concerns payment for treatment or the employer is acting as an intermediary between the patient and a health plan.

However, disclosures of PHI to employers are permitted under the Privacy Rule if the information being discussed relates to a workplace injury or illness. In such circumstances, a medical professional is permitted to disclose the information required by the employer to fulfil state or OSHA reporting requirements. In these circumstances, medical professionals can discuss a patient’s treatment with the patient’s employer without an authorization.

Is an email PHI?

Whether or not an email is PHI depends on who the email is sent by, what the email contains, and where it is stored. To be PHI, an email has to be sent by a Covered Entity or Business Associate, contain individually identifiable health information, and be stored by a Covered Entity or Business Associate in a designated record set with an identifier (if the email does not already include one).

What is PHI is healthcare?

PHI in healthcare stands for Protected Health Information – information protected by the HIPAA Privacy Rule to ensure it remains private. PHI in healthcare can only be used or disclosed for permitted purposes without a patient´s authorization, and patients have the right to complain to HHS’ Office for Civil Rights if they believe a healthcare provider is failing to protect the privacy of their PHI.

What are HIPAA identifiers?

HIPAA identifiers are pieces of information that can be used – either separately or with other pieces of information – to identify an individual whose health information is protected by the HIPAA Privacy Rule. Several sources confuse HIPAA identifiers with PHI, but it is important to be aware identifiers not maintained with an individual´s health information do not have the same protection as PHI.

What qualifies as PHI?

What qualifies as PHI is individually identifiable health information and any identifying non-health information stored in the same designated record set. Please note that a Covered Entity can maintain multiple designated record sets about the same individual and that a designated record set can consist of a single item (i.e., a picture of a baby on a pediatrician’s baby wall qualifies as PHI).

Is a medical record number PHI?

A medical record number is PHI is it can identify the individual in receipt of medical treatment. However, a seemingly random alpha-numeric code by itself (which medical record numbers often are) does not necessarily identify an individual if the code is not proceeded with “medical record number”, or accompanied by a name or any other information that could be used to identify the individual.

What does PHI include?

PHI includes individually identifiable health information maintained by a Covered Entity or Business Associate that relates to an individual’s past, present, or future physical or mental health condition, treatment for the condition, or payment for the treatment. It can also include any non-health information that could be used to identify the subject of the PHI.

Is a person’s gender PHI?

A person’s gender is PHI if it is maintained in the same designated record set as individually identifiable health information by a HIPAA Covered Entity or Business Associate as it could be used with other information to identify the subject of the individually identifiable health information. However, if a person’s gender is maintained in a data set that does not include individually identifiable health information (i.e., a transportation directory), it is not PHI.

Is a patient’s name alone considered PHI?

A patient’s name alone is not considered PHI. Only when a patient’s name is included in a designated record set with individually identifiable health information by a Covered Entity or Business Associate is it considered PHI under HIPAA.

Under the Privacy Rule which information should be considered PHI?

Under the Privacy Rule, the information that should be considered PHI relates to any identifiers that can be used to identify the subject of individually identifiable health information. However, where several sources mistake what is considered PHI under HIPAA is by ignoring the definitions of PHI in the General Provisions at the start of the Administrative Simplification Regulations (45 CFR Part 160).

Is there a list of PHI identifiers?

There is no list of PHI identifiers in HIPAA – only an out-of-date list of identifiers that have to be removed from a designated record set under the safe harbor method before any PHI remaining in the designated record set is deidentified. Because the list is so out-of-date and excludes many ways in which individuals can now be identified, Covered Entities and Business Associates are advised to have a full understanding of what is considered PHI under HIPAA before developing staff policies.

Is a phone number PHI?

A phone number is PHI if it is maintained in a designated record set by a HIPAA Covered Entity or Business Associate because it could be used to identify the subject of any individually identifiable health information maintained in the same record set. However, if a phone number is maintained in a database that does not include individually identifiable health information, it is not PHI.

How does HIPAA define PHI?

The text of HIPAA does not define PHI because the term “Protected Health Information” does not appear anywhere in the text of the Act. PHI was not used as an acronym for Protected Health Information until the publication of the proposed Privacy Rule in 1999, when the term was adopted to distinguish between individually identifiable health information maintained or transmitted by covered entities and health information maintained or transmitted by non-covered entities.

How many designated record sets can one individual have?

An individual can have dozens of designated records sets because – for example – the individual could be under the care of multiple health units and the healthcare provider has divided up a single designated record set to better apply access controls. Similarly, a covered entity may share PHI with multiple business associates, only shares PHI relevant to the service being provided by each business associate to comply with the minimum necessary standard.

Why do some sources wrongly define what is PHI in healthcare?

Some sources wrongly define what is PHI in healthcare because the definitions that can help explain what does PHI mean are divided between the General Provisions of the Administrative Simplification Regulations (45 CFR §160.103) and the introduction to the Privacy Rule (45 CFR §164.501).

While it is relatively easy to individually answer the questions “what is PHI, PII, and IIHI?” and “what are designated records sets?”, it is not as easy to bring all the answers together to determine what information should be protected and what information patients have a right of access to.

What is the difference between patient consent and patient authorization?

The difference between patient consent and patient authorization (in the context of HIPAA) is that the Privacy Rule allows for a limited number of scenarios in which informal consent is permitted – rather than formal authorization. These scenarios include limited disclosures for facility directories and to friends and family when they enquire about the wellbeing of a patient.

Covered entities can include limited patient details in a hospital directory and provide limited information to friends and family with the patient´s informal consent – unless the patient is unable to give their consent, in which case professional judgement should be used to determine whether the disclosures are in the patient´s best interests.

What information is included in an “accounting of disclosures”?

The information included in an accounting of disclosures is any “disclosure” of PHI in the previous six years except for disclosures to the individual, disclosures for treatment, payment, and healthcare operations, disclosures authorized by the individual, and a handful of other exceptions (see 45 CFR §164.528 for the full list). The “accounting” must include the date of the disclosure, the recipient of the disclosure, the content of the disclosure, and the purpose of the disclosure.

What are PII and PHI?

PII and PHI are not always two different things. PII stands for Personally Identifiable Information, which can be PHI (Protected Health Information) if it is stored in the same designated record set as PHI. This is because, in order to protect the health and payment information that qualifies as PHI, any information that could be used to identify the subject of the health and payment information (for example, PII) also has to be protected while it remains in the same designated record set.

What is HIPAA PII?

HIPAA PII is a term sometimes used to describe individually identifiable non-health information that is maintained in the same record set as individually identifiable health information. In this scenario, PII has the same attributes as Protected Health Information (PHI) inasmuch as it can only be used or disclosed as stipulated by the HIPAA Privacy Rule.

PHI vs PII? Which is protected by the Privacy Rule?

When discussing PHI vs PII and which is protected by the Privacy Rule, PHI is always protected by the Privacy Rule whereas PII can be protected by the Privacy Rule if it is maintained in the same designated record set as PHI. However, there are occasions when PII is not maintained in the same designated record set; and, on these occasions, PII is not protected by the Privacy Rule (although it may be protected by state privacy laws).