What is PHI?
Protected health information (PHI), sometimes referred to as personal health information, is data related to a person’s past, present, or future physical or mental health or condition, as well as genetic information. It also includes the provision or payment for health care created or received by a health care provider, health plan, employer, or health care clearinghouse (i.e., a covered entity).
| Key terms for protected health information |
| Covered entity—a health plan, healthcare clearinghouse, or healthcare provider |
| Business associate—an entity (e.g., an organization or a person) that provides services on behalf of a covered entity |
| Data subject—any person (i.e., patient) who can be identified, directly or indirectly, via protected health information |
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the primary law that directs the handling and enforces the safeguarding of protected health information, including all use, access, and disclosure. HIPAA rules cover any PHI collected, transmitted, maintained, or stored in any form or medium (i.e., electronic, oral, or paper) by a covered entity or its business associates.
HIPAA rules for protected health information state that patients must be given a Notice of Privacy Practices (NPP) upon intake. The NPP must be written in a clear manner so that patients can easily understand their rights related to PHI. An NPP also explains what a covered entity may or may not do with protected health information.
Patient rights related to PHI include:
- Requesting access to medical records
Patients have the right to request their medical records using an authorization form. - Requesting amendments to medical records
Patients have the right to request an amendment of their PHI when they believe there has been an error on their record. - Requesting special privacy protection for PHI
Patients have the right to restrict the disclosure of PHI. - Parental access to a minor’s medical records
In most cases, a parent or legal guardian can access a minor’s medical records. Situations in which parents cannot access a minor’s PHI include:- The minor consents to care where parental consent is not required.
- A court decides that a minor must receive care.
- A parent agrees that the minor and covered entity have a confidential relationship.
HIPAA also specifically addresses how protected health information can be utilized for research purposes. According to HIPAA, PHI may be used for research in these ways:
- For preparatory to research purposes
- For research on decedent data
- If the data is fully deidentified
- With a HIPAA authorization signed by the participant or their legal representative
- With a limited data set and a data use agreement
- With a waiver of authorization from an Institutional Review Board or IRB (i.e., a board, committee, or other group formally designated by an institution to review research involving humans as subjects)
It is worth noting that HIPAA rules do not apply when this data is maintained in education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records held by a covered entity in its role as an employer.
What are designated record sets and HIPAA identifiers?
According to HIPAA, a designated record set is a group of records maintained by or for a covered entity that is broader than a legal health record. A designated record set is broader than a legal health record, because it contains all protected health information and business information unrelated to patient care.
Examples of protected health information included in designated record sets are:
- Billing and payment records
- Clinical case notes
- Clinical laboratory test results
- Decisions about patients
- Enrollment, payment, claims adjudication, and case or medical management record systems
- Information used in whole or in part to make care-related decisions
- Insurance information
- Medical images (e.g., MRIs and X-rays)
- Medical records
- Wellness and disease management program files
- Wellness and disease management program information
Patient access rights related to protected health information in designated record sets include the right to access, amend, or inspect PHI in a designated record set, as well as the right to receive a copy of a designated record set in paper or electronic format.
Additional access rights and limitations relating to protected health information in designated record sets include the following.
- A covered entity is only required to provide access to the PHI to which the individual requests access.
- A patient does not have a right to access the psychotherapy notes that a mental health professional maintains separately from the individual’s medical record.
- A patient does not have the right to access covered entities’ information that is not used to make decisions about individuals (e.g., quality assessment or improvement records, patient safety activity records, or business planning, development, and management records).
- Individuals do not have a right to access information compiled in reasonable anticipation of, or for use in, a legal proceeding, but do have the right to access the underlying PHI.
- Prescription drug information that a patient has the right to access includes the names of prescription drugs prescribed for them and claims records related to payment for those drugs.
- The patient can access information that was relied on in, or helped inform, the development of the prescription drugs or drug regimen.
- When responding to a request for PHI, a covered entity is not required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.
What is included in protected health information?
HIPAA spells out 18 identifiers that comprise protected health information.
- Patient names
When used alongside information such as the patient’s mental or physical health treatment or diagnosis, patient names must be secured during transmission and storage as this is PHI. - Geographical elements
Geographical information more granular than a state is PHI. This includes street address, city, county, precinct, zip code, and equivalent geocodes. - Dates related to the health or identity of individuals
PHI includes all elements of dates (except year) directly related to a patient, including birth date, admission date, discharge date, and date of death. - Telephone numbers
- Fax numbers
- Email addresses
- Social Security Numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
Any account number used for medical payments, such as bank account numbers or credit cards, is PHI. - Certificate / license numbers
Certificate or license numbers that are used to confirm an individual’s professional qualifications, credentials, or legal permissions are PHI. - Vehicle identifiers
Vehicle information is PHI. This includes vehicle identification numbers (VIN), license plate numbers, makes and models, and colors. - Device attributes or serial numbers
Device attributes or serial numbers are identifiers tied to electronic devices like smartphones, tablets, or medical devices. These are often interacted with by healthcare providers during the delivery of healthcare services. - Digital identifiers, including some Universal Resource Locators (URLs)
URLs used for patient care, such as appointment scheduling and medical records, are PHI. - Internet Protocol (IP) address numbers
Any IP address information tied to a patient is PHI. - Biometric elements, including finger, retinal, and voiceprints
Biometric information data recorded from a patient is PHI. - Photographs of a patient’s face
Any image that captures an individual’s facial features is PHI. - Other identifying numbers or codes
According to HIPAA, any identifying numbers or codes that can be used to identify an individual are PHI.
Protected health information FAQ
Frequently asked questions related to protected health information include the following.
What is the HIPAA privacy rule?
The HIPAA Privacy Rule details how covered entities and their business associates can use and share protected health information. The HIPAA Privacy Rule applies to health plans, healthcare clearinghouses, and healthcare providers who transmit PHI in any form. The U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) are responsible for enforcing the HIPAA Privacy Rule with respect to compliance activities and civil money penalties.
What information is not considered PHI?
Examples of information that is not considered to be PHI include:
- Aggregated, non-individual data (e.g., individual data averaged by geographic area, by year, by service agency, or other ways)
- Health data created, received, maintained, or transmitted by an entity not subject to the HIPAA Privacy Rules, such as health information relating to students, is covered by the Family Educational Rights and Privacy Act (FERPA)
- Health information that is part of an employee´s employment record
- Health information without the 18 identifiers (e.g., a data set of vital signs by themselves)
- Results from testing conducted without any PHI identifiers (e.g., basic genetic research, such as the search for potential genetic markers, promoter control elements, and other exploratory genetic research)
How can organizations maintain compliance when it comes to protected health information?
The best way to stay compliant when it comes to PHI is to understand the five rules:
- Privacy rule
- Transactions and code sets rule
- Security rule
- Unique identifiers rule
- Enforcement rule
Recommended best practices for meeting the protected health information requirements set forth in these rules include:
Adopt cyber defense systems, including:
- Antivirus software to detect malware
- Auditing solutions to monitor for access and use of PHI
- Automated patch management to keep software up to date and eliminate vulnerabilities
- Capability to remotely delete data stored on laptops and mobile devices in the event of loss or theft
- Data encryption on all workstations, mobile devices, and storage
- Encryption to protect data in transit
- Firewalls to prevent unauthorized access to networks and data
- An intrusion detection system / intrusion prevention system (IPS / IDS) to detect and stop suspicious network activity
- Spam filters to detect and block malicious emails
- Web filters to prevent staff from visiting malicious websites
- Backups to ensure PHI is recoverable in the event of an incident
- Audits of business associates’ security controls and risk standing
- Policies for administrative, physical, and technical safeguards
- Policies for disposition of paper files properly (e.g., shred any documents that include PHI)
- Policies that prevent posting of anything that could be construed as PHI on social media
- Procedures to grant access to PHI based on the basis of least privilege
- Password management best practices
- Keeping protected health information out of public view (e.g., keep patient files closed except in private spaces)
- Keeping staff educated and continually informed by conducting regular training
- Maintaining possession of mobile devices that hold PHI
- Requiring all systems to have automatic logouts
- Using document management to restrict the sharing of PHI
What is ePHI?
ePHI is electronic protected health information, essentially digitized protected health information. Covered entities and their business associates are subject to HIPAA PHI safeguard rules when ePHI is created, processed, stored, transmitted, or received in any electronic format or media, such as:
- Computers or laptops with internal hard drives used at work, home, or while traveling
- External portable hard drives
- File transfers
- Flash drives
- Magnetic tape
- Smartphones
- Text messages
- Removable storage devices, including USB (universal serial bus) drives, CDs (compact discs), DVDs (digital versatile discs), and SD (secure digital) cards
The 18 identifiers for protected health information apply to ePHI; additionally, HIPAA sets standards for the storage and transmission of ePHI.
Covered entities and business associates must comply with the HIPAA Security Rule, which mandates standards for the confidentiality, integrity, and availability (CIA triad) of ePHI.
- Confidentiality—Systems must be in place to ensure that unauthorized users cannot access ePHI.
- Integrity—ePHI must be protected to ensure that no unauthorized changes are made to it and record all changes that are made.
- Availability— Patients must be able to access their ePHI according to the rules set forth by HIPAA.
What is the difference between protected health information and consumer health information?
Protected health information is unequivocally covered by the safeguards set forth in HIPAA. Consumer health information (CHI) can be covered by HIPAA as PHI, but these rights can be ceded by data subjects per CHI’s terms of service. Commonly, organizations that collect CHI (e.g., providers of wearable devices and apps, genetic test companies) have terms of service that explicitly state that they have the right to use, share, and sell CHI.
PHI safeguards facilitate compliance and reputation
The stringent penalties for failing to safeguard protected health information properly compel most organizations to make it a priority. Added to the compliance risks are the fallout and reputational damage that accompany a breach involving PHI. Prioritizing PHI safeguards is not usually a question, but an imperative.
