HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What Does PHI Stand For?

In the context of HIPAA, the term PHI is commonly used in connection with health data, but what does PHI stand for, and what information is included in the definition of PHI?

What Does PHI Stand For?

PHI is an acronym of Protected Health Information. The term is commonly referred to in connection with the Health Insurance Portability and Accountability Act (HIPAA) and associated legislation such as the Health Information Technology for Economic and Clinical Health Act (HITECH). Generally, PHI stands for any data relating to a patient, a patient´s healthcare, or the payment for that healthcare that is created, received, stored, or transmitted by HIPAA-covered entities and their business associates.

HIPAA-covered entities are mostly healthcare providers, health plans, and healthcare clearinghouses, while their business associates are third-party service providers who have access to Protected Health Information in order to provide a service to or on behalf of the covered entity. These entities must implement measures to protect against the unauthorized disclosure, amendment or destruction of Protected Health Information as stipulated by the HIPAA Privacy Rule.

The Department of Health & Human Services´ Office for Civil Rights has defined PHI as any Individually Identifiable Health Information that – individually or combined – could potentially identify a specific individual, their past, present or future healthcare, or the method of payment. However, PHI does not include health information contained in education records nor information maintained by a covered entity in their capacity as an employer.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The inclusion of the word “any” in the definition of what does PHI stand for has led to some confusion over what information should be protected, occasionally resulting in over-zealous safeguards that obstruct the flow of information – something the Privacy Rule is keen to avoid. Consequently, compliance experts tend to rely on the eighteen unique identifiers that need to be removed from a designated data set before the data is no longer considered protected. The eighteen unique identifiers considered to be PHI under this interpretation are:

  • Names
  • Geographic data smaller than a state
  • All elements of dates (except years)
  • Telephone numbers
  • FAX numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Device identifiers and serial numbers
  • Web URLs
  • Internet protocol addresses
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Full face photos and comparable images
  • Any unique identifying number, characteristic or code

PHI ceases to be PHI when it is stripped of all eighteen unique identifiers for marketing or research purposes. Nonetheless, the data is still considered “protected” under the 1981 Common Rule – an Act of Congress that stipulates the baseline standard of ethics under which any government-funded research in the US is held. Nearly all U.S. academic institutions hold their researchers to this standard of ethics regardless of funding.

The Difference Between PHI and ePHI

ePHI is an acronym of electronic Protected Health Information – a subset of PHI that is created, received, stored, or transmitted electronically by HIPAA-covered entities and business associates. Due to the ease with which electronically-stored data can be accessed and shared, ePHI is subject to the HIPAA Security Rule as well as the HIPAA Privacy Rule. It is also subject to the HITECH Act when a healthcare provider participates in the Promoting Interoperability program.

The Security Rule primarily consists of physical, technical, and administrative safeguards to prevent unauthorized access to and disclosures of ePHI. These safeguards should be carefully studied by HIPAA-covered entities and business associates, as the penalties for violations of the HIPAA Security Rule can be significant – in some cases even when there has been no authorized access to, or disclosure of, PHI.

PHI Meaning Compared to PII and IIHI

The distinction between some acronyms used in the healthcare and healthcare insurance industries can be minor but also a cause of confusion. For example, if you compare the PHI meaning with that of PII (Personally Identifiable Information), you might consider them to be the same. However, if PII consists of just a name and telephone number – but no health, healthcare, or billing information – it does not qualify as Protected Health Information.

However, when you compare the PHI meaning to that of IIHI (Individually Identifiable Health Information), the two are virtually the same. The only thing that distinguishes PHI from IIHI is that PHI is information created, received, used, or maintained by a HIPAA-covered entity, whereas IIHI is information created, received, used, or maintained by an entity not covered by HIPAA (i.e., an employer, school, or non-medical college).

What is PHI in Medical Terms?

In HIPAA, PHI stands for protected health information, but the term PHI is also commonly used to refer to patient health information or personal health information – Any health information that is contained in a medical record that relates to an individual that has been created, received, used, or is maintained by a HIPAA-covered entity for the purposes of providing healthcare services or payment for healthcare services.

PHI may also be used to refer to private health insurance, permanent health insurance, public health informatics, a public health institute, and in medicine, the enzyme phosphoexose Isomerase.

What Does PHI Stand For? FAQs

Why does health information contained in educational records not count as PHI?

HIPAA led to the establishment of a federal “floor” of privacy and security standards and pre-empts any existing healthcare-related privacy and security laws unless they have more stringent standards than HIPAA. Health information contained in educational records are protected by the Family Educational Rights and Privacy Act (FERPA) which has more stringent standards than HIPAA.

What other laws pre-empt HIPAA?

Most states have privacy and security regulations in which some standards are more stringent than HIPAA. In these circumstances, HIPAA applies except in the areas where more stringent standards exist. In some cases, covered entities and business associates operating across multiple states may have to comply with HIPAA and a variety of state laws

Does HIPAA only apply to organizations operating in the U.S?

Although HIPAA is a federal law that applies to all covered entities operating in the U.S., if a covered entity outsources a service to an overseas business associate, the overseas business associate is required to comply with HIPAA. However, it is the covered entity´s responsibility to conduct due diligence on the business associate to ensure they have the appropriate administrative, physical, and technical safeguards in place before disclosing PHI to the business associate.

If a designated record set includes information about other people, does that information also have to be protected?

In some cases, an individual´s medical record may include information about family members that could be used to determine the identity of the individual (i.e., “son of Mary and James Smith”). In such circumstances, any information relating to other people also has to be protected from impermissible uses and disclosures.

Why do you need to protect an individual´s Internet Protocol address?

Internet protocol (IP) addresses allow devices connected to the Internet to be identified geographically so that the devices can send and receive data. Somebody in possession of an IP address could use a tool known as an IP geolocation lookup to find the location of a device connected to the Internet (down to the ZIP code) which potentially could be used to identify – or confirm the identity of – an individual.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.