PHI refers to individually identifiable health information, including demographic data, medical histories, test results, treatment plans, and any other information held by covered entities or their business associates, which is used, created, received, or maintained in the context of providing healthcare services and is protected under the HIPAA to ensure the privacy and security of patients’ sensitive data. When dealing with HIPAA Rules and discussing the role of HIPAA covered entities in securing data, we often encounter the abbreviation PHI, but what does PHI stand for? What data or elements do we refer to when we talk about PHI?
What Does PHI Stand For?
PHI is the abbreviation we use when we talk about Protected Health Information. As mentioned above, it is most often used in connection with HIPAA, which is the acronym for the Health Insurance Portability and Accountability Act.
PHI refers to quite a broad range of information, both digital and printed. We also sometimes speak about ePHI, which is only in relation to electronic PHI. To understand what is included in PHI, we need to break the term down into its parts, in this case “protected” and “health information”.
When we say “protected”, we are referring to data that falls under the umbrella of the HIPAA Privacy and Security Rules. These Rules govern how certain organizations in the healthcare industry – for example healthcare providers, health insurance plans, and healthcare clearinghouses, as well as their business associates – manage the patient data they work with. The Rules require that these organizations put various administrative, physical, and technical safeguards in place to protect the privacy, integrity, and availability of any identifiable data that they deal with.
Moving to the second part of PHI, “health information”, means we are talking about information that is relevant to a patients’ treatment. Such information includes but is not limited to: medical history, diagnoses, test results, prescribed medications, and demographic grouping. Payment information for medical services is also covered by PHI, as is any information that can be used to identify the patient, for example medical record numbers, insurance identifiers, Social Security numbers, or other unique identifiers.
HIPAA covered entities may come into contact with PHI at different stages in the history of the patient. They may be the ones that create new PHI or add new elements; they may receive existing PHI from another source; they may be involved in data storage where PHI is included in the data; or they may transmit or facilitate the transmission of PHI. We also use the term PHI for health information created in the past, being created currently, or for information that will be added to the file in the future. It covers both physical and mental health information.
It is possible to de-identify or anonymize PHI, in which case it no longer contains the sensitive “protected” information and is therefore no longer considered PHI. In order to do this, certain elements must be removed from the data to make it too difficult to reasonably identify the patient or patients that were originally concerned. There are two primary methods to do this: the Expert Determination method and the Safe Harbor method.
The Expert Determination method is quite self explanatory: a qualified statistical expert can be consulted and their opinion must be that the risk of re-identifying a patient from the data released is low enough that it is acceptable under HIPAA Privacy Rule requirements. The Safe Harbor method is somewhat different in that it is a more procedural approach: specific identifiers, listed below, must be removed from the data so that any direct references to the patients are redacted. There are 18 such identifiers that are to be removed from PHI in order for it to be considered de-identified and no longer protected. These elements are:
- Geographic data below state level
- All elements of dates, except the year (including admission and discharge dates, dates of birth, dates of death, any ages over 89 years old, and elements of dates (including year) that are indicative of age)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol (IP) addresses
- Biometric identifiers (i.e. retinal scan, fingerprints, voice prints)
- Full face photos and similar images
- Any unique identifying number, characteristic or code
Healthcare organizations are confronted with a range of challenges when it comes to effectively managing and safeguarding PHI. One prevalent challenge revolves around the sheer volume and complexity of PHI that flows through various departments, systems, and stakeholders within these organizations. This intricate ecosystem often makes it difficult to maintain a comprehensive overview of where sensitive patient data resides, potentially leading to inadvertent exposure or breaches. Moreover, the dynamic nature of patient information, coupled with frequent updates and changes in medical records, demands meticulous tracking and management to prevent inaccuracies or unauthorized access.
Within the area of PHI management, the possibility of data breaches, unauthorized access, and insider threats looms large. The digital nature of healthcare records introduces vulnerabilities that can be exploited by cybercriminals seeking to gain access to valuable patient data. A breach not only jeopardizes patients’ privacy and trust but also exposes organizations to significant legal and financial risks. Unauthorized access, whether by external malicious actors or employees with ill intent, poses an imminent threat to the confidentiality and integrity of PHI. The human element remains a key focal point; well-intentioned employees may inadvertently mishandle data, leading to unintentional breaches.
The potential fallout from PHI breaches extends beyond compromised patient trust. Healthcare organizations can face severe legal and financial repercussions as a result of failing to adequately protect PHI. Under the umbrella of the Health Insurance Portability and Accountability Act (HIPAA), entities that mishandle PHI can face substantial penalties, ranging from thousands to millions of dollars, depending on the severity of the breach and the organization’s response. Legal actions from affected patients or regulatory authorities can lead to additional financial strain. Furthermore, the damage to an organization’s reputation and credibility can result in patient attrition and a tarnished standing within the healthcare landscape. As the consequences of PHI breaches continue to mount, healthcare entities are compelled to address these challenges and prioritize robust data security measures to safeguard patient privacy and avoid dire legal and financial implications.