Share this article on:
The term PHI is commonly used in connection with health data, but what does PHI stand for, and what information is included in the definition of PHI?
What Does PHI Stand For?
PHI is an acronym of Protected Health Information. The term is commonly referred to in the Health Insurance Portability and Accountability Act (HIPAA) and associated legislation such as the Health Information Technology for Economic and Clinical Health Act (HITECH), and refers to any data relating to a patient, a patient´s healthcare or the payment for that healthcare that is created, received, stored, or transmitted by HIPAA-covered entities.
HIPAA-covered entities are mostly healthcare providers, health plans, healthcare clearinghouses and their business associates or third-party service providers who have access to Protected Health Information. These entities must implement measures to protect against the unauthorized disclosure, amendment or destruction of Protected Health Information as stipulated by the HIPAA Privacy Rule.
The Department of Health & Human Services´ Office for Civil Rights has defined PHI as any Personal Identifying Information that – individually or combined – could potentially identify a specific individual, their past, present or future healthcare, or the method of payment. In total, there are eighteen unique identifiers considered to be PHI:
- Geographic data
- All elements of dates
- Telephone numbers
- FAX numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol addresses
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Full face photos and comparable images
- Any unique identifying number, characteristic or code
PHI ceases to be PHI when it is stripped of all eighteen unique identifiers for marketing or research purposes. Nonetheless, the data is still considered “protected” under the 1981 Common Rule – an Act of Congress that stipulates the baseline standard of ethics under which any government-funded research in the US is held. Nearly all U.S. academic institutions hold their researchers to this standard of ethics regardless of funding.
The Difference between PHI and ePHI
ePHI is an acronym of electronic Protected Health Information and related to any PHI that is created, received, stored, or transmitted electronically by HIPAA-covered entities. Due to the ease with which electronically-stored data can be accessed and shared, ePHI is subject to the HIPAA Security Rule as well as the HIPAA Privacy Rule. It is also subject to the HITECH ACT when a healthcare provider participates in the Meaningful Use program.
The Security Rule primarily consists of physical, technical and administrative safeguards to prevent unauthorized access and disclosure of ePHI. These safeguards should be carefully studied by HIPAA-covered entities, as the penalties for a breach of the HIPAA Security Rule can be significant – in some cases even when there has been no authorized access to – or disclosure of – PHI.