In any healthcare or healthcare insurance organization it is crucial anyone who comes into contact with patient data is fully aware of what is defined as Protected Health Information (PHI) under HIPAA to ensure they do not accidentally violate HIPAA Rules.
What is Defined as Protected Health Information (PHI) Under HIPAA?
Anyone who is employed in the healthcare sector or is currently studying a healthcare-related course that involves some level of access to patient healthcare or billing data must be fully aware of what is classified as PHI.
The HIPAA Privacy Rule places restrictions on the permitted uses and disclosures of PHI and the HIPAA Security Rule requires security measures to be in place at all times to ensure the confidentiality, integrity, and availability of PHI.
Should a breach occur, it is not a valid excuse to state you were unaware of the requirements under HIPAA to ensure the privacy and security of PHI. If any provision of HIPAA is violated, it can result in significant penalties for the HIPAA entities involved. In some cases, criminal convictions may be sought in relation to HIPAA violations. This is why it is of the utmost importance HIPAA training provided to employees gives them a clear understanding of what is defined as PHI.
How is PHI Defined under HIPAA?
HIPAA states that all individually identifiable information relating to the past, present, and future health status of an individual that is created, gathered, shared, transmitted, or maintained by a HIPAA-covered entity in relation to the administration of healthcare, payment for healthcare, or use in healthcare operations (PHI healthcare business uses) is considered Protected Health Information (PHI).
Some data elements classed as PHI include:
- Medical diagnoses
- Details of treatments
- Test results
- Date of Birth
- National identification numbers
- Contact details
If any of these data elements are held in a physical state, they are referred to as PHI. Any PHI that is created, stored, shared, or received electronically is referred to as ePHI.
PHI includes patient and health plan member information, but does not include data in educational and employment records. Nor is health information collected by a covered entity in its role as an employer classed as PHI.
Personal and healthcare data is only classed as PHI when it is possible for an individual to be identified from that information. That means the information contains one or more of 18 identifiers.
If all these identifiers are removed in a HIPAA-compliant process, the information is deidentified and is no longer classed as PHI and uses and disclosures are no longer restricted by the HIPAA Privacy Rule.
What are the Identifiers that make personal and health information PHI?
HIPAA states there are 18 identifiers that turn personal health and billing information into PHI and bring the information under the protection of the HIPAA Rules. The 18 identifiers are:
- Every geographical identifier at a level lower than state, except for the first three digits of a zip code if, according to the existing publicly available information from the U.S. Bureau of the Census, the geographic unit created by combining all zip codes with the same three first digits include more than 20,000 people.
- Dates, not including year, directly linked to a person.
- Complete names or last names and initial
- Contact phone numbers
- Fax machine numbers
- Email contact details
- Social Security data
- Numbers of medical records
- Health insurance beneficiary info
- Account number details
- Certificate/license numbers
- Vehicle identifiers such as license plates and serial numbers
- Device identifiers and serial numbers
- IP addresses
- Fingerprints, retinal scans, voice prints and all other biometric identifiers
- Full face photographic images or other images that allow a person to be identified
- All other unique identifying numbers, characteristics, or codes, except the unique code assigned by the investigator to code the data
How Can PHI be Secured?
According to the HIPAA Security Rule, HIPAA covered entities must implement safeguards and take actions to prevent reasonably anticipated threats to the confidentiality, integrity, and availability of PHI.
The HIPAA Security Rule requires physical, technical, and administrative safeguards to be implemented to keep PHI secure. However, the HIPAA Security Rule is not technology specific. Instead the precise security measures that must be put in place to keep PHI secure are left to the discretion of each HIPAA covered entity based on a risk assessment and risk analysis.
In addition to robust access controls, firewalls, encryption software, and logging and monitoring of access to PHI, it is important not to neglect training. HIPAA and security awareness training are essential for ensuring employees are aware of what PHI is, how it must be protected, and when it is possible to access, use, and disclose PHI.
PHI: Frequently Asked Questions
How is an allowable disclosure of PHI different to an incidental disclosure?
When it comes to treatment, payment, and health care operations, covered entities are permitted to share PHI. An incidental disclosure is a secondary, accidental disclosure that cannot reasonably be stopped, is restricted in nature, and happened due to another disclosure allowed under the Privacy Rule.
Can email addresses that do not include a person’s name be considered as identifiers for PHI purposes?
With a little bit of work it can be possible to discover who owns an email address that does not include an actual name. This can be done using social media or through the use of a reverse email lookup tool on the Internet. While either option may not provide you with the individual’s name, you will still be able to discover enough information in relation to the individual for that information to be classified as PHI.
Can you gauge what is a reasonably anticipated threat to PHI ?
All covered entities and business associates must carry out regular risk analyses in order to discover threats to PHI. By completing this covered entities will be in a position to ascertain potential threats. This will also allow for these reasonably anticipated threats to be planned for.
How are PII, PHI, and IIHA different?
Simply put, Personally Identifiable Information (PII) refers to identifying data used outside a healthcare context, while PHI (Protected Health Information) and IIHA (Individually Identifiable Health Information) is the same information used in the healthcare sector.
Covered Entities are legally obliged, under HIPAA, to ensure that PHI is always handled in a compliant manner. If you are worried that individuals within your organization are unsure about the allowable uses and disclosures of PHI and how that information must be protected, then the best course of action is to arrange a refresher HIPAA training session as soon as possible.