This article answers one of the most commonly asked questions related to HIPAA – What is considered PHI?
The healthcare industry commonly uses terms such as PHI and PII. What do these acronyms mean and what information do they cover? PHI stands for Protected Health Information. PII stands for Personally Identifiable Information. Before explaining these terms further, we need to first understand what is health information.
Health information includes all data associated with the provision of healthcare and the payment for healthcare services. Health data is generated or obtained by a healthcare provider, business associate of a HIPAA-covered entity, healthcare clearinghouse, public health authority, health plan, school/university, or employer/company. Health information includes all information that pertains to health conditions or physical/mental health in the past, present, and future that is related to the provision of healthcare services or paying for those services.
Personally identifiable information (PII) or individually identifiable health information (IIHI) refer to any health information that allows a patient to be identified. For instance, a health diagnosis like asthma becomes PII if it also contains an identifier that associates the information with a particular patient, or if there is a way that the information can be used to identify a patient.
Protected health information (PHI) is individually identifiable health information used by a HIPAA-covered entity or its business associate in physical or digital form. PHI relates to health information that is created, maintained, or transmitted by a HIPAA covered entity or business associate, but does not include include school or employment records.
So what does HIPAA consider as PHI? PHI includes all health data including EHR/EMRs, laboratory test results, medical histories, diagnoses, treatment details, insurance plan details, allergy information, unique identifiers, and demographic data. When information is generated, utilized, or shared by a HIPAA covered entity or business associate in relation to delivering healthcare, or is utilized for processing payment for healthcare, it is regarded as PHI. The use of that information is restricted under the HIPAA Privacy Rule.
The HIPAA Privacy Rule specifies the allowable uses and disclosures of PHI. Permission to share PHI without first acquiring patient consent to disclose the information is only granted to HIPAA-covered entities for purposes of treatment, payment and healthcare operations as defined in 45 CFR 164.501.
The HIPAA Privacy Rule likewise allows patients to get copies of their PHI that is stored or used by a covered entity. In these instances, a patient submits a request to the covered entity to produce copies of PHI in a designated record set. The designated record set includes data that the covered entity uses in order to provide treatment or process payment for healthcare; data that a covered entity kept and used to make judgments concerning patient healthcare enrollment, claims adjudication, and is stored in medical record systems.
Protected Health Information: FAQ
How does PHI differ from PII?
PHI stands for Protected Health Information and is any data that was degenerated, used, or disclosed during a patient’s medical care. Personally Identifiable Information (PII), by contrast, is a general term and covers any data that can be used to identify an individual. PHI exists in the context of HIPAA, whereas PII is not necessarily health-related.
When can PHI be used?
The HIPAA Privacy Rule defines the permissible uses of PHI, and for what purposes it may be disclosed to others. These cases include the use of PHI patients’ medical care, payment for medical care, or other health care operations. With an appropriate business associates agreement (BAA), the information can be passed on to third parties. Any uses that are not covered by the HIPAA Privacy Rule require express authorization from the patient.
Can patients access their PHI?
Yes, HIPAA grants patients the right to access their PHI within a reasonable time frame. Covered entities can charge a “reasonable” fee for such requests, usually associated with personnel or processing costs. Patients may also request that their PHI is amended if they believe it to be inaccurate.
How specific is PHI?
Obviously, some PHI is more identifiable than others. It is harder to trace a Ms A Smith in Seattle (population 737,000) than a Ms A Smith in West Haven, Connecticut (population 55,000). However, it would be too complicated to distinguish between these cases, or to alter the definition of PHI based on other factors (such as how common a surname is or how generic an email address is). Anything that could be used to trace the originator of the information is therefore considered PHI, no matter how generic the piece of information is.
Is all health data PHI?
No, not all health-related data is considered to be PHI under HIPAA. For example, data collected on personal devices – such as heart rate, step count, etc. – would not be considered PHI unless it was then transmitted to a HIPAA covered entity. The data is instead considered to be personal data.