What is Protected Health Information (PHI) under HIPAA?

What is PHI on the HIPAA and what is not a PHI?

When is a Health Information a PHI?

In a healthcare environment, we hear “health information” as well as “protected health information.” What others are confused with is what exactly is considered as PHI on the HIPAA rules? On the HIPAA, a PHI is any identifiable health information that is used, maintained, stored, or transmitted by a health provider, of a health plan, health insurer, or a healthcare clearinghouse that includes business associates of any covered entity. That also includes any transactions in the healthcare of the patient, or any billing of a patient.

PHI is health information in any form including physical records or electronic records or spoken information. It is not only a piece of passed-on health information that is considered PHI under HIPAA rules but also future information about medical conditions or physical or mental health information related to the provision of care or payment of care.

Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI. It includes individual identifiers. Demographic information is also considered a PHI as a common identifier including patients’ names, social security numbers, driver’s license numbers, insurance details, and birthdays when they’re healthcare information.

The eighteen (18) identifiers that make information PHI are:

  1. Names
  2. Dates except for the year
  3. Telephone numbers
  4. Geographic data
  5. Fax numbers
  6. Social security numbers
  7. Email addresses
  8. Medical record numbers
  9. Account numbers
  10. Health plan beneficiary numbers
  11. Certificate license numbers
  12. Vehicle identifiers, serial numbers including license plates
  13. Web URLs
  14. Device identifiers and serial numbers
  15. Internet protocol addresses
  16. Full face photo and comparable images
  17. Biometric identifiers (Example: Retinal scans or fingerprints)
  18. Or any unique identifier or code

One or more of these unique identifiers turns this health information into PHI; and PHI HIPAA privacy rule will then apply which limits the uses and disclosure of this information. HIPAA-covered entities and their business associates will also need to ensure appropriate technical, physical, and administrative safekeeping to ensure the confidentiality, integrity, and availability of PHI as stipulated in the HIPAA security rule.

When is health information not PHI?

When is a “PHI” not a PHI? Here are some of the exceptions:

First, it depends on who records the information. A good example would be health trackers. If the physical device is worn on the body or apps on a mobile device, these devices can record health information such as heart rate or blood pressure which are considered PHI under HIPAA rules. But if they are recorded by a healthcare provider, or are used by a health plan, however, HIPAA only applies to HIPAA-covered entities and their business associates.

So if a device manufacturer or app development is not covered by a healthcare-covered entity, or its business associate, the information recorded will not be considered PHI under HIPAA.

The same applies to education or employment records. A hospital may hold data on its employees which can be included in some HIPAA health information – allergies and blood types for instance. But HIPAA does not apply to employment records and neither to education records.

Under HIPAA, PHI ceases to be PHI if it is stripped of all its identifiers that can tie the information to the original. If the identifiers are removed from the original information, it now then becomes a “de-identified PHI.” And for de-identified PHI, HIPAA rules no longer apply.

Hopefully, this helps you in identifying what is PHI on the HIPAA, and when is “PHI” not PHI.

As always, if you have any questions, reach out to Troinet and we’ll find the answers you need. You may also get our free HIPAA Compliance Online Assessment.