Demystifying Protected Health Information: What is PHI under HIPAA Privacy Rule

Although Health Insurance Portability and Accountability Act (HIPAA) requirements and rules have been in effect for 25 years, confusion remains around some of the law’s components. A frequent area of confusion is how healthcare organizations and other covered entities recognize, share, and safeguard protected health information (PHI). The following sections dig deeper into this topic and offer some compliance strategies to consider for your practice.

What Is PHI?

PHI is any health information that identifies an individual or that can be used to identify an individual, including the presence of any one of the 18 identifiers listed below in combination with identification of a healthcare business or provider. It can relate to:

• A person’s past, present, or future physical, health or condition
• The provision of healthcare to the individual
• The past, present, or future payment for the provision of healthcare to the individual

When covered entities and their business associates hold or transmit PHI via paper, electronic, and/or oral means, they must keep it both private and secure. In addition, they need to allow unimpeded flow of health information between care providers to enable coordinated, continued care along with quality, cost-effective treatment.

What Are Covered Entities and Business Associates?

In this context, a covered entity includes healthcare providers, health plans, and healthcare clearinghouses. Business associates are any companies that work directly with a covered entity and have access to PHI.

How Do the HIPAA Privacy and Security Rules Relate to PHI?

The HIPAA Privacy Rule establishes national standards for protecting PHI in all forms. It requires covered entities to create and implement a range of policies (upwards of 40 or 50) and sets limits on how PHI can be used or disclosed with and without patient authorization. It also gives patients the right to examine and obtain a copy of their health records and request corrections, among other rights. The HIPAA Security Rule governs electronic PHI specifically, whether it is at rest or in transit. It requires any organization that interacts with personally identifiable data to establish administrative, physical, and technical safeguards, such as encryption and firewalls, to preserve information confidentiality, integrity, and security.

How Can You Tell if Something Is PHI?

One way to recognize PHI is to look for some combination of the following 18 identifiers:

1. Patient name
2. Addresses (other than town, city, state, or zip code)
3. Dates, other than year, which are directly related to an individual, including birth date, admission date, discharge date, date of death, and so on
4. Telephone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code

The last identifier is a catch-all that encompasses an unlimited number of other identifying characteristics. This leaves room for interpretation when determining whether a piece of information is PHI. Organizations should think carefully about any potential identifiers and make sure to protect information that house these, even if the identifiers fall outside the first 17 categories.

Do All 18 Identifiers Need to Be Present to Categorize the Data as PHI?

Most of the time, only one identifier must be present to consider data PHI. Exceptions are zip codes and birthdates, which require other identifiers to be present. Note that a zip code-birth date combination can be considered PHI, since there is enough information between the two data points to possibly identify an individual.

When I Receive a Request for Patient Information, Should I Send the Patient’s Entire Medical Record?

HIPAA strongly encourages covered entities and business associates to make reasonable efforts to use the minimum amount of PHI necessary. For example, an organization may not use, disclose, or request an entire patient medical record unless the entire medical record is specifically justified. Uses or disclosures that involve more information than necessary and that have not been authorized by the patient may qualify as privacy breaches under the Final Omnibus HIPAA privacy rules.

What are the Training Requirements Associated with PHI?

Staff should be trained on how to recognize, safeguard, and secure PHI. Best practice is that organizations offer comprehensive training to new staff during orientation and annual refresher courses to current staff. PHI-specific insights can be woven into overall HIPAA compliance training at any point. Quarterly reminders, tips offered during staff meetings, and articles in company newsletters can also be helpful to ensure staff retain information and apply it to their daily work. Online trainings that staff can access at their convenience can be especially beneficial as these offerings often document training and highlight areas where further instruction is needed.

Learn more on how Stericycle can help you and your staff navigate the nuances of PHI, and help keep your organization secure.