What is Considered as PHI Under HIPAA?

What is considered as PHI under HIPAA?

What is considered as PHI under HIPAA must be understood by all members of a covered entity´s or business associate´s workforce – not only to prevent impermissible uses and disclosures of PHI, but also to prevent information that is not considered as PHI under HIPAA being secured unnecessarily.

There is considerable misunderstanding about what is considered as PHI under HIPAA. This is evident from online sources that confuse PHI with the so-called “18 PHI identifiers” that must be removed from a designated record set before any health information remaining in the designated record set can be considered deidentified under the Safe Harbor method.

Because of the misunderstanding, it is possible some PHI could be disclosed impermissibly because it does not appear in the list of 18 PHI identifiers. It is also possible information not protected by HIPAA is unnecessarily given protected status – preventing those who need access to it from doing their jobs because they do not have sufficient access permissions.

This article aims to resolve the misunderstanding about what PHI in HIPAA is by explaining what PHI stands for, how PHI has been defined in HIPAA, and when HIPAA PHI identifiers must be given protected status. It will also explain when identifiers are not considered as PHI under HIPAA so they can be maintained in more accessible databases.

To reinforce the explanations, there is a comprehensive list of FAQs at the end of the article providing examples of when identifying information is considered as PHI under HIPAA – and when it is not. Covered entities, business associates, and workforce members with further questions should seek professional HIPAA compliance advice.

What does PHI Stand For? What is PHI in HIPAA?

The acronym PHI stands for Protected Health Information. Protected Health Information consists of individually identifiable health information such as enrollment, medical, and billing records that is maintained in designated record sets and used by covered entities to make diagnosis, treatment, and/or payment decisions about a patient or plan member.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

A patient or plan member can be the subject of multiple designated record sets, and a single item of individually identifiable health information can qualify as a designated record set. For example, a picture of a child on a pediatrician’s “baby wall” qualifies as a designated record set because it identifies the child and implies  a healthcare relationship with the pediatrician.

PHI in HIPAA is protected by the Privacy and Security Rules in order to ensure the confidentiality of health information and to prevent the misuse of health information to commit identity theft and insurance fraud. Should a breach of confidentiality occur, HIPAA requires patients and plan members to be notified of the breach in order to protect themselves against theft or fraud.

In addition to individually identifiable health information being protected by HIPAA, any non-health information that could identify the subject of the PHI that is maintained in the same designated record set as PHI assumes the same protections. For a fuller explanation of this important point, see “What Else is Considered as PHI under HIPAA” below.

How Has PHI Been Defined in HIPAA?

PHI has been defined in HIPAA as any individually identifiable health information that is created, received, used, maintained, or transmitted by a covered entity or business associate that relates to an individual´s physical or mental health condition, treatment for the health condition, or payment for the treatment.

It is not just past and present individually identifiable health information that is considered as PHI under HIPAA. Information relating to an individual´s future health, treatment, or payment is also considered as PHI under HIPAA when it is created, received, used, maintained, or transmitted by a covered entity or business associate.

Of note, neither the term “Protected Health Information” nor the acronym “PHI” appear in the text of HIPAA and the term was only used once in the recommendations made by the Secretary of Health and Human Services (HHS) to Congress in 1997 – throughout which the term “covered information” was used to describe what we now know as PHI in HIPAA.

It was only in the introduction to the first proposed Privacy Rule the term “covered information” was replaced with “Protected Health Information”. However, the acronym “PHI” does not appear in any of the Administrative Simplification Regulations (e.g., the Privacy, Security, and Breach Notification Rules), and is rarely used in HIPAA guidance published by HHS.

What Else is Considered as PHI under HIPAA?

PHI does not always consist of just individually identifiable health information such as enrollment, medical, and billing records (etc.). It can also include any information that can be used – either separately or with any other piece of information – to identify the subject of the health information when it is maintained in the same designated record set as PHI.

When individually identifiable non-health information (i.e., names, telephone numbers, addresses, etc.) is maintained in the same designated record set, it is referred to as a HIPAA PHI identifier. HIPAA PHI identifiers must have the same protected status as individually identifiable health information all the time they remain in the designated record set.

It is important to be aware that any identifying information can be considered as PHI under HIPAA when it is maintained in a designated record set – not just the 18 HIPAA PHI identifiers that are listed in §164.514 of the Privacy Rule. For example, if they are maintained in the same designated record set as PHI, the following would be considered PHI:

  • Social media aliases, as these can be used to impersonate an individual and access more information about the subject of the PHI via profile pages.
  • Medicare Beneficiary Identifiers (MBIs), which have replaced SSN-based HIC Numbers for most Medicare beneficiaries over the past six years.
  • Information about an emotional support animal if a picture of the animal or the information could be used to identify the subject of the PHI.

In addition, if information about a family member, other relative, or friend is included in the designated record set, and the subject of the PHI could be identified by the “third party” information, this information also assumes protected status. For this reason, there is a limitless number of elements of information that can be identified as PHI.

What is Not Considered PHI under HIPAA?

Identifying non-health information is not considered PHI under HIPAA when it is not maintained in the same designated record set as health information. If, for example, an individual´s name, telephone number, and address is maintained in a separate database with no health information, it does not have the same protections as PHI.

The benefit of maintaining identifiers in separate databases is so that the databases can be accessed by members of the workforce with lower access permissions. Marketing departments, transport providers, and facility administrators may all need to have access to patient information without needing to know health, treatment, or payment information.

In addition, as only covered entities and business associates are required to comply with HIPAA, any identifying information maintained by a business that is not subject to HIPAA (i.e., a vendor of a fitness or weight loss app) is also not considered as PHI – even if it is maintained alongside individually identifiable health information.

However, while any identifying information maintained outside a designated record set or maintained by a business not subject to HIPAA does not have the same protections as PHI, the information may be protected by state privacy laws that stipulate what privacy and security measures must be implemented to safeguard the information.

What is Considered PHI under HIPAA FAQs

What types of future health data are considered PHI under HIPAA?

Whenever any identifying information is associated with – for example - a prognosis, a forthcoming appointment, or a treatment plan, this would be future health data that is considered as PHI under HIPAA.

What does the identifier “dates, but not years” mean?

This means that any date directly related to an individual (birth date, admission date, discharge date, etc.) is considered as PHI under HIPAA except the year. This is because there may be thousands of individuals being admitted or discharged within any given year, so the year itself would not reveal sufficient information about an individual to identify them.

Are there rules about how PHI should be de-identified?

The rules about de-identifying PHI state that any code used to replace the identifiers cannot be derived from information related to the individual as this might enable the individual´s re-identification. For example, an individual's initials cannot be used to code their data because the initials are derived from their name.

Why are Internet Protocol addresses and website URLs considered PHI?

Internet protocol addresses and website URLs are only considered as PHI under HIPAA if they are maintained in a designated record set and could be used to identify the subject of any health information in the same record set. With regards to why they are considered as PHI under HIPAA -

An Internet Protocol (IP) address is a unique address that identifies a device connected to the Internet or a local network. IP addresses are much like the Internet´s telephone directory inasmuch as they can be used to identify the location of the device and its user. Website URLs use IP addresses to connect users to website domains, so could also be used to locate web servers and their users.

In what “rare circumstances” might HIPAA apply to an employer?

Employers may be subject to “partial” HIPAA compliance if they administer a self-insured health plan or act as an intermediary between employees, healthcare providers, and health plans. In these circumstances, employers are subject to §164.504(f)(2) of the Privacy Rule and are required to provide a certification that PHI will be safeguarded.

Is a date of birth PHI?

A date of birth – by itself – is not PHI because it does not identify the individual to whom the date relates. However, if the date of birth is maintained in a designated record set with other information that can identify the subject of the record set, it becomes PHI and assumes the protections of the Privacy and Security Rule.

Is a phone number PHI?

A phone number maintained in a designated record set with other identifying information is PHI. However, if phone number, a name and other identifying information (address, name of spouse, etc.) is maintained in a database that does not include health information, it is not considered PHI under HIPAA. However, although the phone number is not protected by HIPAA in this example, it may be protected by other privacy and security laws.

Is a patient name alone considered PHI under HIPAA?

No, because a patient name by itself does not reveal any medical, treatment, or payment information. Information like names, addresses, and telephone numbers are information that are usually in the public domain (i.e., via a phone directory) so it would be a waste of resources to protect information that could be found elsewhere – notwithstanding that securing non-PHI behind access controls could hinder the flow of information in a healthcare facility.

Are patient initials considered PHI?

The question of whether patients´ initials are considered PHI under HIPAA is raised more than you might expect due to guidance issued by the Department of Health and Human Services relating to the de-identification of PHI in a designated record set using the safe harbor method.

In the guidance, patients´ initials are mentioned twice – once in the context of disclosing patients´ initials in a de-identified designated record set, and once when fields of unstructured text are derived from the safe harbor listed identifiers in §164.514.

In both cases, the guidance is that the initials should be removed from the designated record set – implying patient initials are considered PHI under HIPAA. However, this only applies when the initials are maintained in a designated record set.

If patient initials are maintained in a data set that does not contain health information (i.e., initials, surname, and telephone number), none of the information in the data set is PHI because they do not relate to the individual´s health information.

Is SSN PHI?

Up until December 2019, social security numbers (SSNs) were considered PHI under HIPAA because they could be used to obtain Medicare benefits. In this respect, SSNs fulfilled the criteria for PHI as they related to the “past, present, or future payment for the provision of health care to an individual.”

From 2016 onward, SSNs have been replaced by Medicare Beneficiary identifiers (MBIs) and can now no longer be used to obtain Medicare benefits. However, in cases where an SSN still exists in an individual´s “designated record set” (typically a group of medical and billing records that also contain individual identifiers), the SSN is still considered PHI under HIPAA because it could be used to identify the individual to whom the medical information in the record set relates.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/