In the healthcare industry, health information is often spoken of as protected health information or PHI, but what exactly is PHI?
The HIPAA Rules consider PHI to be any identifiable health data that a HIPAA-covered entity uses, maintains, stores, or transmits in connection with providing healthcare, paying for healthcare services, or for healthcare operations. A covered entity includes healthcare providers, health plans or health insurance providers, and healthcare clearinghouses. Business associates (vendors) of HIPAA-covered entities also have to comply with HIPAA Rules.
It isn’t just past and present health data that are regarded as PHI under HIPAA Rules. Future health data pertaining to physical and mental health conditions or the provision of and payment for health care are also covered by the PHI definition. PHI may include health information in the following forms: physical records, digital records, or spoken information.
PHI includes medical documents, health histories, laboratory test results, medical billing records, and EHRs. Basically, all health data is regarded as PHI if it includes personal identifiers. Demographic data is likewise regarded as PHI under HIPAA Rules, just like common identifiers including patient names, Driver’s license numbers, Social Security numbers, insurance information, and dates of birth, when they are used in combination with health information.
Health information is considered PHI when the following 18 identifiers are included:
- Dates, but not year
- Phone numbers
- Email addresses
- Geographic information
- FAX numbers
- Social Security numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers such as license plates
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Internet protocol addresses
- Website URLs
- Device identifiers and serial numbers
- Full face pictures and other identifying images
- Biometric identifiers (such as retinal scans and fingerprints)
- Any unique identifying code or number
It is a common mistake to consider all health data to be PHI under HIPAA, but there are exceptions.
First, it depends who actually records health information. For example, health trackers or physical devices worn on the body and mobile phone apps can log health data including heart rate or blood pressure. Under HIPAA, this information is only considered PHI if the information is collected by or for a HIPAA covered entity or business associate on behalf of a covered entity. That is because HIPAA is only applicable to HIPAA-covered entities and business associates. If the device vendor or application developer has no agreement with a HIPAA -covered entity or a business associate, the data recorded is not regarded as PHI under HIPAA.
The same applies to education or health information collected by an employer. A hospital maintains data of its employees, which could comprise certain health details such as allergies or blood type, but HIPAA doesn’t cover occupation records nor education records.
PHI likewise stops being considered PHI if all identifiers that can link the data to a person are removed. If PHI all identifiers are removed it is considered de-identified PHI, and its uses and disclosures are no longer limited by the HIPAA Privacy Rule.