When dealing with HIPAA Rules and discussing the role of HIPAA covered entities in securing data, we often encounter the abbreviation PHI, but what does PHI stand for? What data or elements do we refer to when we talk about PHI?

What Does PHI Stand For?

PHI is the abbreviation we use when we talk about Protected Health Information. As mentioned above, it is most often used in connection with HIPAA, which is the acronym for the Health Insurance Portability and Accountability Act.

PHI refers to quite a broad range of information, both digital and printed. We also sometimes speak about ePHI, which is only in relation to electronic PHI. To understand what is included in PHI, we need to break the term down into its parts, in this case “protected” and “health information”.

When we say “protected”, we are referring to data that falls under the umbrella of the HIPAA Privacy and Security Rules. These Rules govern how certain organizations in the healthcare industry – for example healthcare providers, health insurance plans, and healthcare clearinghouses, as well as their business associates – manage the patient data they work with. The Rules require that these organizations put various administrative, physical, and technical safeguards in place to protect the privacy, integrity, and availability of any identifiable data that they deal with.

Moving to the second part of PHI, “health information”, means we are talking about information that is relevant to a patients’ treatment. Such information includes but is not limited to: medical history, diagnoses, test results, prescribed medications, and demographic grouping. Payment information for medical services is also covered by PHI, as is any information that can be used to identify the patient, for example medical record numbers, insurance identifiers, Social Security numbers, or other unique identifiers.

HIPAA covered entities may come into contact with PHI at different stages in the history of the patient. They may be the ones that create new PHI or add new elements; they may receive existing PHI from another source; they may be involved in data storage where PHI is included in the data; or they may transmit or facilitate the transmission of PHI. We also use the term PHI for health information created in the past, being created currently, or for information that will be added to the file in the future. It covers both physical and mental health information.

Something to note is that we do not use PHI as a term to refer to information that is included in education records, nor for details that a HIPAA covered entity may be required to access and record due to its status as an employer.

It is possible to de-identify or anonymize PHI, in which case it no longer contains the sensitive “protected” information and is therefore no longer considered PHI. In order to do this, certain elements must be removed from the data to make it too difficult to reasonably identify the patient or patients that were originally concerned. There are two primary methods to do this: the Expert Determination method and the Safe Harbor method.

To summarize, the Expert Determination method is quite self explanatory: a qualified statistical expert can be consulted and their opinion must be that the risk of re-identifying a patient from the data released is low enough that it is acceptable under HIPAA Privacy Rule requirements. The Safe Harbor method is somewhat different in that it is a more procedural approach: specific identifiers, listed below, must be removed from the data so that any direct references to the patients are redacted. There are 18 such identifiers that are to be removed from PHI in order for it to be considered de-identified and no longer protected. These elements are:

  • Names
  • Geographic data below state level
  • All elements of dates, except the year (including admission and discharge dates, dates of birth, dates of death, any ages over 89 years old, and elements of dates (including year) that are indicative of age)
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Device identifiers and serial numbers
  • Web URLs
  • Internet protocol (IP) addresses
  • Biometric identifiers (i.e. retinal scan, fingerprints, voice prints)
  • Full face photos and similar images
  • Any unique identifying number, characteristic or code

In closing, PHI refers to Protected Health Information –  which is essentially any information from which a patient can be identified, including payment and other information. All staff of HIPAA covered entities should be appropriately trained to know what constitutes PHI, what they can and can’t do with PHI, and the different safeguards that should be in place to keep this special and privileged information “protected”. Mismanagement or mishandling of PHI can lead to serious repercussions for both organizations and individuals, so it is of the utmost importance that all parties understand exactly what PHI is and why it is protected.