What Does PHI Stand For?

HIPAA’s Records Retention Requirements

The acronym PHI is generally used in association with health information, but what does PHI stand for? What information is considered PHI?

PHI stands for Protected Health Information. The term is often used in the Health Insurance Portability and Accountability Act (HIPAA) and related laws, for instance, the Health Information Technology for Economic and Clinical Health Act (HITECH). It pertains to any information concerning a patient, his or her healthcare, or the billing for healthcare services that are created, received, maintained retained, or shared by HIPAA-covered entities.

HIPAA-covered entities are primarily healthcare providers, health plans, business associates of healthcare providers, and healthcare clearinghouses. These entities need to employ controls to secure PHI against unauthorized disclosure, modification or destruction as specified by the HIPAA Privacy Rule.

The Department of Health & Human Services’ Office for Civil Rights refers to PHI as any Personal Identifying Information (PII) that – separately or combined with other data elements – could possibly allow a particular person or their healthcare status in the past, present, or future to be identified. Altogether, there are 18 unique identifiers regarded as PHI:

  • Names
  • Geographic information
  • All elements of dates
  • Email addresses
  • Phone numbers
  • FAX numbers
  • Account numbers
  • Social Security numbers
  • Health plan beneficiary numbers
  • Medical record numbers
  • Certificate/license numbers
  • Device identifiers and serial numbers
  • Vehicle information and serial numbers such as license plates
  • Web addresses
  • Internet protocol addresses
  • Biometric identifiers (i.e. retinal scan, finger prints)
  • Full face photographs and identical images
  • Any distinct identifying number, attribute or code

PHI stops being PHI once all eighteen unique identifiers are removed. Nevertheless, the information is still regarded as “protected” according to the 1981 Common Rule – an Act of Congress which stipulates the base standard of ethics under which all government-funded research in the United States are held. Practically all U.S. academic organizations have their researchers follow this standard of ethics irrespective of financing.

PHI Versus ePHI

ePHI stands for electronic Protected Health Information and pertains to any PHI that is created, acquired, stored, or digitally shared by HIPAA-covered entities. Because of the ease of access and sharing of electronically-stored data, ePHI is governed by the HIPAA Security Rule and also the HIPAA Privacy Rule. It is additionally governed by the HITECH ACT if a healthcare provider participates in the Meaningful Use program.

The Security Rule mainly comprises of technical, physical and administrative controls to prevent unauthorized ePHI access and sharing. It is important for appropriate security controls to be applied to ensure the confidentiality, integrity, and availability of ePHI. The failure to secure ePHI can result in significant financial penalties.