Share this article on:
The latest article in our HIPAA basics series answers the question what is protected health information?
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information, but what is protected health information?
First, it is worthwhile explaining two other important terms detailed in HIPAA regulations: A covered entity and a business associate. A covered entity is a healthcare provider, health plan, or healthcare clearinghouse which transmits health data electronically for transactions that the U.S. Department of Health and Human Services has adopted standards. A business associate is an organization or individual who performs services on behalf of a HIPAA-covered entity that requires access to, or the use of, protected health information.
What is Protected Health Information?
Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services. Protected health information is often shortened to PHI, or in the case of electronic health information, ePHI.
Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage.
The information relates to an individual’s past, present, and future physical and mental health, the provision of healthcare to an individual, or past, present, and future payments for healthcare. ‘Protected’ means the information is protected under the HIPAA Privacy Rule.
Protected health information is defined in the Code of Federal Regulations and applies to health records, but not education records which are covered by other federal regulations, and neither employment records. In the case of an employee-patient, protected health information does not include information held on the employee by a covered entity in its role as an employer, only in its role as a healthcare provider.
What is Individually Identifiable Health Information?
When individually identifiable information is used by a HIPAA covered entity or business associate in relation to healthcare services or payment it is classed as protected health information.
There are 18 identifiers that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is considered identifiable. If PHI has all of these identifiers removed, it is no longer considered to be protected health information. (see de-identification of protected health information)
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data