Examples of PHI in Healthcare
Examples of PHI in healthcare include any individually identifiable health information maintained by a covered entity or business associate that relates to an individual’s health condition, treatment for a health condition, or payment for treatment. Non-health information assumes the same protections as PHI only when it is maintained in the same designated record set as PHI.
When the HIPAA Privacy Rule was published in 2000, it contained a list of eighteen identifiers that had to be removed from medical and billing records (“designated record sets”) under the “Safe Harbor” method of de-identification. Thereafter, any health information remaining in a designated record set was no longer considered “individually identifiable” and no longer protected by the HIPAA Privacy Rule.
Some sources interpreted the list of identifiers as a definition of Protected Health Information (PHI). However, the identifiers do not qualify as individually identifiable health information because they do not relate to an individual’s health condition, treatment for a health condition, or payment for treatment. Nonetheless, it is still common to find the identifiers listed as examples of PHI in healthcare.
To clarify, the “HIPAA identifiers” only assume the same protections as individually identifiable health information when they are maintained in the same designated record set as health information. When the identifiers are maintained separately from individually identifiable health information, they are not protected by HIPAA – although they may be protected by state data privacy and security laws.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Real Examples of PHI in Healthcare
Real examples of PHI in healthcare are items of information you might expect to find in a medical or billing record. These include details of allergies or preexisting conditions, notes from consultations, the results of blood tests, MRI scans, and diagnoses. Treatment plans, prescribed medications, and insurance information are also examples of PHI likely to be found in a medical or billing record.
Naturally, these examples of PHI include some identifiers – i.e., name, date of birth, account numbers, etc. Medical records in particular are also likely to include identifiers relating to family members and/or personal representatives. All identifiers assume protected status while they are maintained in a designated record set with individually identifiable information regardless of whether the identifiers appear in the 2000 Privacy Rule list or not.
While on the subject of designated records sets, it is important to be aware that a designated record set can consist of a single item of health information, a group of medical or payment records, or a patient’s complete medical history. In theory, a covered entity can maintain multiple designated record sets for the same individual – all of which require protecting in order to comply with HIPAA.
Why Understanding PHI is Important
Understanding PHI, designated record sets, and identifiers is important because HIPAA requires that covered entities and business associates audit where PHI is created, received, and stored, and appropriately control access to patient information according to workforce members’ roles. For example:
- A doctor should be given access to a patient’s medical information.
- An administrator should be given access to the patient’s appointment and billing information.
- A member of the marketing team should only be given access to non-health information such as the patient’s name and email address. This information, when stored separately from PHI, is an example of information that is not protected by HIPAA.
The failure to appropriately control access to patient information can result in HIPAA violations if members of the workforce are allowed more access to PHI than their roles require, or impact operational efficiency if members of the workforce are denied access to information they need to perform their roles. In the latter case, the failure to appropriately control access can also lead to login credentials being shared impermissibly “to get the job done”.
Covered entities and business associates with questions about these examples of PHI in healthcare, who require further information about designated record sets, or who need assistance striking the right balance of access controls to support HIPAA compliance and operational efficiency are advised to speak with an independent compliance professional.
