Some patients, and even some healthcare employees, may not be 100% sure exactly what is regarded as protected health information under HIPAA. Protected health information is the term used to describe individually identifiable information associated with an individual’s healthcare. It may be created, stored or shared by a HIPAA-covered entity while providing healthcare, or used in relation to payment for medical care services.
Under HIPAA, the following information is regarded as protected health information or PHI for short:
- Health data including clinical test results, diagnoses, treatment data and prescription medications
- National ID numbers like driver’s license numbers and Social Security numbers
- Demographic information such as sex, date of birth, race, and contact details
PHI pertains to physical health information such as patient charts and x-ray images. HIPAA also applies to electronic PHI (ePHI) – The digital equivalent of PHI. PHI and ePHI relate to information that is created, stored, transmitted, or maintained by a healthcare organization covered by HIPAA Rules (Healthcare providers, health plans, healthcare clearinghouses) and business associates of HIPAA covered entities. It does not apply to educational institutions or employee records.
PHI/ePHI is basically health information and other personal information that identifies an individual. If all identifiers are removed from health information, it is no longer regarded as PHI. The HIPAA Privacy rule does not apply to de-identified PHI as it is no longer considered to be PHI if all identifiers are removed.
Identifiers in PHI that need to be removed before it can be considered de-identified are listed below:
- Full name or last name and initial
- All geographical details smaller than a state, excluding the first three digits of a zip code if, based on publicly accessible data from the U.S. Bureau of the Census, the geographic unit created by merging all zip codes with similar three initial digits is over 20,000 people; and the first three digits of a zip code for all these geographic units that contain 20,000 or less people is altered to 000
- Dates (except only year) directly related to an individual
- Telephone Numbers
- Fax numbers
- Email addresses
- Medical insurance beneficiary numbers
- Health record numbers
- Social Security numbers
- Account numbers
- Certificate/license numbers
- Device identifiers and serial numbers
- Motor vehicle identifiers (which include license plate numbers and serial numbers)
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address details
- Full face photographic shots and any photos that would allow a patient to be identified
- Biometric identifiers, like retinal scans and finger and voice prints
- Any distinct identifying number, attribute, or code other than the unique code designated by the examiner to code the data
The HIPAA Security Rule requires covered entities and their business associates to secure PHI from reasonably anticipated risks. Physical, administrative and technical precautions are required to ensure the confidentiality, integrity, and availability of PHI.
HIPAA doesn’t specify particular safeguards that must be implemented. Covered entities are free to decide what measures to put in place to protect PHI and ePHI, although decisions should be guided by a HIPAA-compliant risk analysis. Technological safety measures may include encryption software and firewalls. Physical safety measures can include locked storage spaces for physical documents and electronic storage devices when they are not in use. Administrative safety measures can include PHI access controls that limit the people’s access to PHI and security awareness training of employees.