In the healthcare industry, health information is often spoken of as protected health information or PHI, but what exactly is PHI?
The HIPAA Rules consider PHI to be any identifiable health data that a HIPAA-covered entity creates, uses, maintains, or transmits in connection with providing healthcare, paying for healthcare services, or for healthcare operations. A covered entity can be a healthcare providers, a health plan or a healthcare clearinghouse. Business associates of HIPAA-covered entities also have to comply with HIPAA.
It isn’t just past and present health data that are considered as PHI under HIPAA. Future health data pertaining to physical and mental health conditions or the provision of and payment for health care are also covered by the PHI definition. PHI may include health information in the following forms: physical records, digital records, or spoken information.
PHI includes medical documents, health histories, laboratory test results, medical billing records, and EHRs. Basically, all health data is regarded as PHI if it includes personal identifiers. Demographic data is likewise regarded as PHI under HIPAA Rules, as are common identifiers such as patient names, driver license numbers, Social Security numbers, insurance information, and dates of birth when they are used in combination with health information.
Health information is considered PHI when any of the following 18 identifiers are included:
- Dates, but not year
- Phone numbers
- Email addresses
- Geographic information
- FAX numbers
- Social Security numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers such as license plates
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Internet protocol addresses
- Website URLs
- Device identifiers and serial numbers
- Full face pictures and other identifying images
- Biometric identifiers (such as retinal scans and fingerprints)
- Any unique identifying code or number
It is a mistake to consider all health data to be PHI under HIPAA at all times because there are exceptions.
First, it depends who actually records health information. For example, health trackers or physical devices worn on the body and mobile phone apps can log health data including heart rate or blood pressure. Under HIPAA, this information is only considered PHI if the information is collected by or for a HIPAA covered entity or business associate on behalf of a covered entity. That is because HIPAA is only applicable to HIPAA-covered entities and business associates. If the device vendor or application developer has no agreement with a HIPAA-covered entity or a business associate, the data recorded is not considered as PHI under HIPAA.
The same applies to education or health information collected by an employer (except in rare circumstances). A hospital maintains data of its employees, which could comprise certain health details such as allergies or blood type, but HIPAA doesn’t cover occupation records nor education records.
PHI likewise stops being considered PHI under HIPAA if all identifiers that can link the data to a person are removed. If PHI all identifiers are removed it is considered de-identified PHI, and its uses and disclosures are no longer limited by the HIPAA Privacy Rule.
What is Considered PHI under HIPAA FAQs
What types of future health data are considered PHI under HIPAA?
Whenever any of the eighteen identifiers are associated with – for example – a prognosis, a forthcoming appointment, or a treatment plan, this would be future health data that is considered PHI under HIPAA.
What does the identifier “dates, but not years” mean?
This means that any date directly related to an individual (birth date, admission date, discharge date, etc.) is considered PHI under HIPAA except the year. This is because there may be thousands of individuals being admitted or discharged within any given year, so the year itself would not reveal sufficient information about an individual to identify them.
Are there rules about how PHI should be de-identified?
The rules about de-identifying PHI state that any code used to replace the identifiers cannot be derived from information related to the individual as this might enable the individual´s re-identification. For example, an individual’s initials cannot be used to code their data because the initials are derived from their name.
Why are Internet Protocol addresses and website URLs considered PHI?
An Internet Protocol (IP) address is a unique address that identifies a device connected to the Internet or a local network. IP addresses are much like the Internet´s telephone directory inasmuch as they can be used to identify the location of the device and its user. Website URLs use IP addresses to connect users to website domains, so could also be used to locate web servers and their users.
In what “rare circumstances” might HIPAA apply to an employer?
Employers may be subject to “partial” HIPAA compliance if they administer a self-insured health plan or act as an intermediary between employees, healthcare providers, and health plans. In these circumstances, employers are subject to §164.504(f)(2) of the Privacy Rule and are required to provide a certification that PHI will be safeguarded.