What is Considered PHI?

This article answers one of the most commonly asked questions related to HIPAA – What is considered PHI?

The healthcare industry commonly uses terms such as PHI and PII. What do these acronyms mean and what information do they cover? PHI stands for Protected Health Information. PII stands for Personally Identifiable Information. Before explaining these terms further, we need to first understand what is health information.

Health information includes all data associated with the provision of healthcare and the payment for healthcare services. Health data is generated or obtained by a healthcare provider, business associate of a HIPAA-covered entity, healthcare clearinghouse, public health authority, health plan, school/university, or employer/company. Health information includes all information that pertains to health conditions or physical/mental health in the past, present, and future that is related to the provision of healthcare services or paying for those services.

Personally identifiable information (PII) or individually identifiable health information (IIHI) refer to any health information that allows a patient to be identified. For instance, a health diagnosis like asthma becomes PII if it also contains an identifier that associates the information with a particular patient, or if there is a way that the information can be used to identify a patient.

Protected health information (PHI) is individually identifiable health information used by a HIPAA-covered entity or its business associate in physical or digital form. PHI relates to health information that is created, maintained, or transmitted by a HIPAA covered entity or business associate, but does not include include school or employment records.

So what does HIPAA consider as PHI? PHI includes all health data including EHR/EMRs, laboratory test results, medical histories, diagnoses, treatment details, insurance plan details, allergy information, unique identifiers, and demographic data. When information is generated, utilized, or shared by a HIPAA covered entity or business associate in relation to delivering healthcare, or is utilized for processing payment for healthcare, it is regarded as PHI. The use of that information is restricted under the HIPAA Privacy Rule.

The HIPAA Privacy Rule specifies the allowable uses and disclosures of PHI. Permission to share PHI without first acquiring patient consent to disclose the information is only granted to HIPAA-covered entities for purposes of treatment, payment and healthcare operations as defined in 45 CFR 164.501.

The HIPAA Privacy Rule likewise allows patients to get copies of their PHI that is stored or used by a covered entity. In these instances, a patient submits a request to the covered entity to produce copies of PHI in a designated record set. The designated record set includes data that the covered entity uses in order to provide treatment or process payment for healthcare; data that a covered entity kept and used to make judgments concerning patient healthcare enrollment, claims adjudication, and is stored in medical record systems.