What is Considered as PHI Under HIPAA?

What is considered as PHI under HIPAA?

What is considered as PHI under HIPAA needs to be explained to all members of a covered entity´s or business associate´s workforce – not only to prevent impermissible uses and disclosures of PHI, but also to prevent information that is not considered as PHI under HIPAA from being locked down too securely and impeding the flow of information.

The HIPAA Privacy Rule considers PHI (Protected Health Information) to be any individually identifiable health information that is created, received, used, maintained, or transmitted by a covered entity or business associate in connection with an individual´s health condition, treatment for the health condition, or payment for the treatment.

However, it isn’t just past and present individually identifiable health information that is considered as PHI under HIPAA. Information relating to an individual´s future health, treatment, or payment is also considered as PHI under HIPAA when it is used, maintained, or transmitted by a covered entity or business associate.

What Else is Considered as PHI under HIPAA?

PHI not only includes medical documents, health histories, laboratory test results, medical billing records, etc., but also any information that can be used – either separately or with any other piece of information – to identify the subject of the health information when it is maintained in the same designated record set as PHI.

However, many sources refer to the list of identifiers that have to be removed from a designated record set before any remining health information is no longer protected by the Privacy Rule. This is not an accurate description of what is considered as PHI under HIPAA. In addition, it is no longer possible to rely on the “18 identifiers” in §164.514  as a complete list of identifiers.

It is more than twenty years since this list was published – during which time there have been many changes to the ways in which people can be identified. For example, if a social media alias that is not a name, but that could be used to identify an individual, this is also considered as PHI under HIPAA and has to be removed from a designated record set when de-identifying health information under the safe harbor method.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

When is Identifying Information not PHI?

Identifying non-health information is not considered as PHI under HIPAA when it is not maintained in the same “designated record set” as health information. If an individual´s name, address, and telephone number is maintained in a separate database with no health information, it does not have the same protections as PHI.

In addition, as only covered entities and business associates are required to comply with HIPAA, any identifying information maintained by a business that is not subject to HIPAA (i.e., a vendor of a fitness or weight loss app) is also not considered as PHI – even if it is maintained alongside individually identifiable health information.

However, while any identifying information maintained outside a designated record set or maintained by a business not subject to HIPAA does not have the same protections as PHI, the information may be protected by state privacy laws that stipulate what privacy and security measures must be implemented to safeguard the information.

What is PHI in HIPAA?

PHI in HIPAA stands for Protected Health Information – information that is received, created, stored, or transmitted by a covered entity or business associate that relates to an individual’s past, present, or future health condition, treatment for the condition, or payment for the treatment. In addition, any identifying information maintained with PHI assumes the same protections.

Neither the term “Protected Health Information” nor the acronym “PHI” appear in the text of HIPAA and the term was only used once in the recommendations for the confidentiality of individually identifiable health information made by the Secretary of Health and Human Services (HHS) to Congress in 1997 – throughout which the term “covered information” was used to describe what we now know as PHI in HIPAA.

It was only in the introduction to the first proposed Privacy Rule that the term “covered information” was replaced with “Protected Health Information” to emphasize that covered information requires protection. However, the acronym “PHI” does not appear in any of the Administrative Simplification Regulations (e.g., the Privacy, Security, and Breach Notification Rules), and is rarely used in HIPAA guidance published by HHS.

What is Considered PHI under HIPAA FAQs

What types of future health data are considered PHI under HIPAA?

Whenever any identifying information is associated with – for example - a prognosis, a forthcoming appointment, or a treatment plan, this would be future health data that is considered as PHI under HIPAA.

What does the identifier “dates, but not years” mean?

This means that any date directly related to an individual (birth date, admission date, discharge date, etc.) is considered as PHI under HIPAA except the year. This is because there may be thousands of individuals being admitted or discharged within any given year, so the year itself would not reveal sufficient information about an individual to identify them.

Are there rules about how PHI should be de-identified?

The rules about de-identifying PHI state that any code used to replace the identifiers cannot be derived from information related to the individual as this might enable the individual´s re-identification. For example, an individual's initials cannot be used to code their data because the initials are derived from their name.

Why are Internet Protocol addresses and website URLs considered PHI?

Internet protocol addresses and website URLs are only considered as PHI under HIPAA if they are maintained in a designated record set and could be used to identify the subject of any health information in the same record set. With regards to why they are considered as PHI under HIPAA -

An Internet Protocol (IP) address is a unique address that identifies a device connected to the Internet or a local network. IP addresses are much like the Internet´s telephone directory inasmuch as they can be used to identify the location of the device and its user. Website URLs use IP addresses to connect users to website domains, so could also be used to locate web servers and their users.

In what “rare circumstances” might HIPAA apply to an employer?

Employers may be subject to “partial” HIPAA compliance if they administer a self-insured health plan or act as an intermediary between employees, healthcare providers, and health plans. In these circumstances, employers are subject to §164.504(f)(2) of the Privacy Rule and are required to provide a certification that PHI will be safeguarded.

Is a date of birth PHI?

A date of birth – by itself – is not PHI because it does not identify the individual to whom the date relates. However, if the date of birth is maintained in a designated record set with other information that can identify the subject of the record set, it becomes PHI and assumes the protections of the Privacy and Security Rule.

Is a phone number PHI?

A phone number maintained in a designated record set with other identifying information is PHI. However, if phone number, a name and other identifying information (address, name of spouse, etc.) is maintained in a database that does not include health information, it is not considered PHI under HIPAA. However, although the phone number is not protected by HIPAA in this example, it may be protected by other privacy and security laws.

Is a patient name alone considered PHI under HIPAA?

No, because a patient name by itself does not reveal any medical, treatment, or payment information. Information like names, addresses, and telephone numbers are information that are usually in the public domain (i.e., via a phone directory) so it would be a waste of resources to protect information that could be found elsewhere – notwithstanding that securing non-PHI behind access controls could hinder the flow of information in a healthcare facility.

Are patient initials considered PHI?

The question of whether patients´ initials are considered PHI under HIPAA is raised more than you might expect due to guidance issued by the Department of Health and Human Services relating to the de-identification of PHI in a designated record set using the safe harbor method.

In the guidance, patients´ initials are mentioned twice – once in the context of disclosing patients´ initials in a de-identified designated record set, and once when fields of unstructured text are derived from the safe harbor listed identifiers in §164.514.

In both cases, the guidance is that the initials should be removed from the designated record set – implying patient initials are considered PHI under HIPAA. However, this only applies when the initials are maintained in a designated record set.

If patient initials are maintained in a data set that does not contain health information (i.e., initials, surname, and telephone number), none of the information in the data set is PHI because they do not relate to the individual´s health information.

Is SSN PHI?

Up until December 2019, social security numbers (SSNs) were considered PHI under HIPAA because they could be used to obtain Medicare benefits. In this respect, SSNs fulfilled the criteria for PHI as they related to the “past, present, or future payment for the provision of health care to an individual.”

From 2016 onward, SSNs have been replaced by Medicare Beneficiary identifiers (MBIs) and can now no longer be used to obtain Medicare benefits. However, in cases where an SSN still exists in an individual´s “designated record set” (typically a group of medical and billing records that also contain individual identifiers), the SSN is still considered PHI under HIPAA because it could be used to identify the individual to whom the medical information in the record set relates.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/