Protected health information – or PHI – is often mentioned in relation to HIPAA and healthcare, but what is considered protected health information under HIPAA?
What is Considered Protected Health Information Under HIPAA Law?
If you work in healthcare or are considering doing business with healthcare clients that requires access to health data, you will need to know what is considered protected health information under HIPAA law. The HIPAA Security Rule demands that safeguards be implemented to ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places limits the uses and disclosures of PHI.
Violate any of the provisions in the HIPAA Privacy and Security Rules and you could be financially penalized. There are even criminal penalties for HIPAA violations. Claiming ignorance of HIPAA law is not a valid defense.
Protected Health Information Definition
Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses).
Health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact information. PHI relates to physical records, while ePHI is any PHI that is created, stored, transmitted, or received electronically.
PHI only relates to information on patients or health plan members. It does not include information contained in educational and employment records, that includes health information maintained by a HIPAA covered entity in its capacity as an employer.
PHI is only considered PHI when an individual could be identified from the information. If all identifiers are stripped from health data, it ceases to be protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.
What is PHI?
PHI is any health information that can be tied to an individual, which under HIPAA means protected health information includes one or more of the following 18 identifiers. If these identifiers are removed the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
How Must HIPAA Protected Health Information be Safeguarded?
The HIPAA Security Rule requires covered entities to protect against reasonably anticipated threats to the security of PHI. Covered entities must implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although HIPAA is not technology specific and the exact safeguards that should be implemented are left to the discretion of the covered entity.
HIPAA requires physical, technical, and administrative safeguards to be implemented. Technologies such as encryption software and firewalls are covered under technical safeguards. Physical safeguards for PHI data include keeping physical records and electronic devices containing PHI under lock and key. Administrative safeguards include access controls to limit who can view PHI information. It is a requirement that staff are provided HIPAA security awareness training.
What is the difference between PII, PHI, and IIHA?
PII is Personally Identifiable Information that is used outside a healthcare context, while PHI (Protected Health Information) and IIHA (Individually Identifiable Health Information) is the same information used within a healthcare context. Although PHI is the more commonly used acronym in HIPAA, both PHI and IIHI are protected by the Privacy and Security Rules because they mean exactly the same thing.
Would patient information such as “Mr. Brown from New York” be considered PHI?
Although there could be thousands of Mr. Browns in New York, there is likely no more than a handful of Mr. Kwiatowskis in Crivitz, WI. As it would be impractical for HIPAA to stipulate there has to be fewer than so many Mr. Xs in a population of Y before the two identifiers are considered to be PHI, all combinations of identifiers are consider PHI under HIPAA – even “Mr. Brown from New York”.
Are email addresses that don´t reveal a person´s name considered identifiers for PHI purposes?
It is quite simple to find out who an email address such as “firstname.lastname@example.org“ belongs to by doing a little research on social media or using a reverse email lookup tool on the Internet. Even if social media or a reverse lookup tool does not give you the individual´s name, you will still be able to find enough information about the individual for that information – with the email address – to be considered PHI.
What is the difference between an allowable disclosure of PHI and an incidental disclosure?
Covered entities are allowed to disclose PHI for treatment, payment, and health care operations. An incidental disclosure is a secondary, accidental disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another disclosure permitted by the Privacy Rule – for example, if a physician invites a health plan employee to his office to discuss payments, and the health plan employee passes a patient he or she recognizes in the waiting room.
How do you determine what a reasonably anticipated threat to PHI is?
All covered entities and business associates are required to conduct frequent risk analyses in order to identify threats to the integrity of PHI. If the threats could be reasonably anticipated, covered entities and business associates have to implement measures to protect against the threats, or mitigate the consequences if the threats were to materialize.