PHI refers to any information in a medical record or designated record set, including demographic information, that can be used to identify an individual and that is created, used, or disclosed in the course of providing a healthcare service, such as diagnosis or treatment, and is protected under HIPAA to ensure privacy and security.
What information constitutes PHI?
While PHI may seem like an abstract concept, it can actually be explained quite simply. PHI is defined by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) as any personal identifying information that, either individually or in combination with other information – could potentially be used to identify a specific individual, or their their past, current or future health care, or the method of payment for this care.
Some elements which count as identifying information may be obvious, such as names, social security numbers, or addresses, but others may not be as easy to classify. A list of elements that constitute PHI has been made available. PHI includes:
- Geographic data
- Names
- All elements of dates
- Telephone numbers
- FAX numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol addresses
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Full face photos and comparable images
- Any unique identifying number, characteristic or code
Other examples of PHI would include patient history, results from medical tests or laboratory samples, and bills for medical care.
PHI can be made up of physical records, audio recordings, videos, or digital files. It could even be a spoken the content of a spoken. PHI includes a sub-section called electronic protected health information, or ePHI, that is used to refer to PHI that is shared, saved, sent or received electronically by HIPAA-covered entities. The handling of ePHI is governed by the HIPAA Privacy Rule, the HIPAA Security Rule, and the HITECH ACT, among others.
Is PHI always protected under HIPAA?
In some cases, health care information which would normally be considered as PHI is not covered by HIPAA. This may occur when the information is not collected by HIPAA-covered entities, for example if a smart watch or other device was recording heart rate or blood pressure and this was not being done in the context of an official intervention from a health care provider, just by an individual who wanted to track it.
Health care information may also be recorded in relation to employment or education without being subject to HIPAA rules. Even organizations that would normally be subject to HIPAA rules, such as hospitals, may record health information of employees such as allergies without needing to take the same precautions as they would with data that required protection under HIPAA.
Large scale studies of health or other types of research often use vast amounts of health without being required to follow HIPAA rules. This is often because these types of studies use healthcare data that has been anonymized, or stripped of potentially identifying information. When PHI has been anonymized, it is no longer subject to HIPAA rules.