What is Considered PHI?

In response to questions sent to HIPAA Journal, we have written a series of posts answering some of the most basic elements of HIPAA, the latest being what is considered PHI?

What is PHI, PII, and IIHA?

Terms such as PHI and PII are commonly referred to in healthcare, but what do they mean and what information do they include?

PHI is an acronym of Protected Health Information, while PII is an acronym of Personally Identifiable Information. Before explaining these terms, it is useful to first explain what is meant by health information, of which protected health information is a subset.

Health information is information related to the provision of healthcare or payment for healthcare services that is created or received by a healthcare provider, public health authority, healthcare clearinghouse, health plan, business associate of a HIPAA-covered entity, or a school/university or employer.

Health information relates to past, present, and future health conditions or physical/mental health that is related to the provision of healthcare services or payment for those services.

Personally identifiable information (PII) or individually identifiable health information (IIHI) is any health information that allows the patient to be identified. For example, a health diagnosis – Asthma for example – becomes PII when it includes an identifier that links the information to a specific patient, or when there is a reasonable basis to believe the information could be used to identify a patient.

 What is Considered PHI?

Protected health information is individually identifiable health information that is stored in electronic form, electronically transmitted by HIPAA-covered entity or business associate of a HIPAA covered entity, or transmitted and maintained in any form, including films, charts, and other paper records. PHI relates to HIPAA covered entities, but does not include education records or employment records.

So what is considered PHI by HIPAA? PHI includes health records such as EHR/EMRs, lab test results, health histories, diagnoses, treatment information, insurance information and lists of allergies are all considered PHI, as are unique identifiers and demographic information. If information is created, used, or disclosed by a HIPAA covered entity in the course of providing care to an individual, or is used in conjunction with payment for care, it is considered PHI and is subject to strict controls over its allowable uses and disclosures.

Allowable Uses and Disclosures of PHI

The HIPAA Privacy Rule details the allowable uses and disclosures of PHI. HIPAA-covered entities are only permitted to share PHI for the purposes of treatment or for healthcare operations without first obtaining authorizations to disclose the information from patients. The definitions of treatment and healthcare operations can be found in 45 CFR 164.501.

Obtaining Copies of PHI

The HIPAA Privacy Rule also permits patients to obtain copies of the PHI held by a covered entity. In such cases, a request must be made to the covered entity to provide copies of PHI that is stored in a designated record set. The designated record set will contain information that is used by the covered entity for the provision of treatment or payment of care, information that is held and used by a covered entity to make decisions about a patient or for enrollment, payment, claims adjudication, or in the case of health plans, information in case or medical management record systems.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.