What Does PHI Stand For?

What does PHI Stand for? HIPAAGuide.net

In healthcare, PHI stands for Protected Health Information – information relating to an individual’s health condition, treatment for the health condition, or payment for the treatment, and any other information that could identify the subject of the PHI when it is maintained in the same designated record set. However, when identifying information is not maintained in the same designated record set, it is not PHI.

Although most healthcare organizations and their workforces understand what does PHI stand for, not all have a full understanding of what PHI is. This misunderstanding can result in PHI being impermissibly disclosed due to a lack of knowledge, or circumstances in which some workforce members are unable to do their jobs because information that does not qualify as PHI has been secured beyond their access permissions.

Examples of what does PHI stand for frequently misquote the 18 identifiers in §164.514 of the Privacy Rule. These were examples (in 2002) of data elements that had to be removed from a designated record set before any remaining information in the record set could be considered de-identified. Additional identifiers now exist that must also be removed before any remaining information can be considered de-identified.

What is Protected Health Information (PHI)?

Rather than being defined “by HIPAA” or “by the Privacy Rule”, the definition of Protected Health Information (PHI) appears in §160.103 of the HIPAA General Provisions. Taken out of context, the definition of what does PHI stand for makes limited sense:

“Protected Health Information means individually identifiable health information that is:

(i) Transmitted by electronic media

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

(ii) Maintained in electronic media or

(iii) Transmitted or maintained in any other form or medium.”

To better understand the definition of what does PHI stand for, it is necessary to review the definition of individually identifiable health information. The definition also appears in §160.103 of the HIPAA General provisions.

“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”

The key word in this definition which determines whether an individual’s name, phone number, and email address qualifies as PHI is “and” at the end of section (2). If an individual’s name, phone number, and email address are maintained in a designated record set that contains information relating to an individual’s health condition, treatment for the condition, or payment for the treatment, they assume the same protections.

However, if an individual’s name, phone number, and email address are maintained in a database that does not contain health information (for example, for marketing purposes), they do not assume the same protections as health information. In this scenario, although HIPAA does not apply to the individual’s name, phone number, and email address, their security may be governed by state laws – (i.e., state breach notification regulations).

What are Designated Record Sets?

No explanation of what does PHI stand for is complete without an explanation of designated records sets. A designated record set (as defined by §164.501 of the Privacy Rule) is:

“(1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.”

It is important to be aware that individuals can have multiple designated record sets with the same covered entity and that a single item of health information counts as a designated record set. For example, a photo of a child displayed on a pediatrician’s “baby wall” is a designated record set because where the image is displayed indicates a past treatment (and it therefore qualifies as PHI), and the photo can be used to identify the subject of the PHI.

All health information created, received, and maintained by a covered entity or business associate is a designated record set. Most often, the information is combined into one large designated record set in an EHR, but this is not always the case. In theory, different departments in the same hospital could each maintain a designated record set for the same individual – especially in hospitals that maintain paper records or that have incompatible EMRs.

In the context of HIPAA compliance, the significance of designated record sets is that – under §164.524 of the Privacy Rule – individuals have a right of access to PHI maintained in a designated record set, and – under §164.526 of the Privacy Rule – individuals have the right to request amendments to PHI maintained in a designated record set. For this reason, covered entities and business associates must know where PHI is at all times.

Misunderstandings of What Does PHI Stand For

Misunderstandings of what does PHI stand for can lead to impermissible disclosures of PHI if a workforce member discloses information about an individual that is protected. However, misunderstandings are more common among the public and can lead to unjustified complaints. More than half of privacy violation complaints received by HHS’ Office of Civil Rights are rejected on intake because they do not represent violations of HIPAA.

Of possibly more concern to healthcare organizations and health plans, is that misunderstandings of what does PHI stand for can lead to non-health information being “too secured” – leading to operational inefficiencies if members of the workforce with insufficient access permissions are unable to access individually identifiable non-health information in order to do their jobs in (for example) marketing, legal, transportation, and administration.

The risk this scenario presents is that members of the workforce with sufficient access permissions may impermissibly disclose login credentials to designated record sets in which PHI is stored to avoid being frequently disturbed by colleagues. While the disclosure of login credentials may be well intended, it is a violation of §164.312 of the Security Rule which requires access controls, audit controls, and unique user identification.

Why There are More than 18 HIPAA Identifiers

When the list of HIPAA identifiers was originally published in the Proposed Noticed of Privacy Rule Making (1999), there were actually 19 identifiers. The “names of relatives” and “names of employers” identifiers were subsequently removed from the original list and added to the introduction to the final standard, while the original identifier of “any vehicle or other device serial number” was divided into two entries when the privacy Rule was finalized in 2002.

Since 2002, there are several more ways in which an individual could be identified. Medicare Beneficiary Identifiers have been phased in since 2016, while some individuals may now have social media aliases recorded in a designated record set. Similarly, an individual’s gender could be used with other information to determine the subject of PHI. All of these identifiers would qualify as PHI when maintained in a designated record set with health information.

Possibly a less obvious identifier is an emotional support animal. Because they are not human members of an individual’s family or household, the possibility of details of emotional support animals being used to identify the subject of PHI may be overlooked. As details of emotional support animals are likely to be maintained alongside details about an individual’s health condition in a designated record set, this information would also qualify as PHI.

Conclusion: Why it is Important to Understand What Does PHI Stand For

It is important to understand what does PHI stand for so that information that needs to be protected is protected, while non-health information that might be necessary for operational efficiency is available when required. It can also be important to understand what does PHI stand for to explain to individuals when a disclosure of non-health information is not a violation of HIPAA – preventing unjustified complaints being escalated to HHS’ Office for Civil Rights.

For this reason, it can be beneficial to provide HIPAA training to all members of the workforce on what does PHI stand for, what Protected Health Information is, what designated record sets are, and why there are more than 18 HIPAA identifiers. Covered entities and business associates unsure about what does PHI stand for-  or how to communicate any other point discussed in this article to members of the workforce – are advised to seek professional compliance advice.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/