What Information is Protected by HIPAA?

PHI is protected by HIPAA. PHI is any health information that can be linked to a person, which under HIPAA means protected health information that includes one or more of the below listed 18 identifiers.

PHI only refers to information on patients or health plan subscribers. It does not incorporate information stated in educational and employment records, that includes health information held by a HIPAA covered entity in its role an employer.

PHI is only considered PHI when an individual could be identified from the information. If all identifiers are stripped from health data, it ceases to be protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.

If these the 18 identifiers are taken away then the information is not longer thought of as PHI.

They include:

How Must HIPAA Protected Health Information be Safeguarded?

The HIPAA Security Rule states that all HIPAA covered entities must protect against reasonably expected threats to the security of PHI. Covered entities must adapt safeguards to ensure the confidentiality, integrity, and availability of PHI, although HIPAA is not technology specific and the precise safeguards that should be put in place are left to the discretion of the covered entity.

HIPAA requires physical, technical, and administrative security measures and systems to be implemented. Technologies such as encryption software and firewalls are included in the technical safeguards. Physical security measures for PHI data include keeping physical records and electronic devices including PHI under lock and key. Administrative measures include setting access controls to limit who can view PHI information and conducting security awareness training.

Why Must HIPAA Be Protected?

If you work in healthcare or are proposing doing business with healthcare clients with the need for access to health data, you are required to comply with HIPAA law. The HIPAA Security Rule demands that safeguards be implemented to ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places limits the uses and sharing of PHI.

If you breach any part of the HIPAA Privacy and Security Rules and you could be financially penalized. Criminal penalties are even possible for HIPAA violations. Saying you were unaware of HIPAA law is not a valid defense.


What Does PHI Stand For?

PHI stands for Protected Health Information, something that is often referred to in the Health Insurance Portability and Accountability Act (HIPAA) and similar legislation including the Health Information Technology for Economic and Clinical Health Act (HITECH).

PHI includes any data linked to or regarding a patient, a patient’s healthcare or the payment for that healthcare that is created, received, stored, or sent by HIPAA-covered groups.

A HIPAA-covered group normally includes healthcare providers, health plans, clearinghouses and all business associates or third-party service providers who have can view or download Protected Health Information. Measures must be put in place by these groups to protect against the unauthorized disclosure, changes or destroying Protected Health Information as is mentioned in the HIPAA Privacy Rule.

PHI was defined by the Department of Health & Human Services’ Office for Civil Rights (OCR) as any Personal Identifying Information that – individually or linked up – could be used to identify a specific person, their past, present or future healthcare, or way that they paid. PHI is not information recorded in education records and neither information that is managed by healthcare organizations in their role as an employer.

There are 18 different unique identifiers regarded as PHI:

  • Names
  • Geographic data
  • Any elements of dates
  • Telephone contact information
  • FAX data
  • Email contact
  • Social Security data
  • Medical records
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/licenses
  • Vehicle identifiers and serial numbers including license plates
  • All device identifiers and serials
  • Web site addresses
  • IP details
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Complete face photos and similar images
  • Any unique identifying digits, characteristic or code

PHI is no longer PHI when all eighteen unique identifiers are removed for marketing or research reasons. However, the data is still considered “protected” under the 1981 Common Rule – an Act of Congress that states the baseline standard of ethics under which any government-funded research in the US is maintained. Almost every U.S. academic institutions hold their experts to this standard of ethics regardless of funding.

PHI vs ePHI

ePHI refers electronic Protected Health Information and related to any PHI that is created, received, saved, or shared electronically by HIPAA-covered groups. Due to the simplicity with which electronically-stored data can be viewed and shared, ePHI is subject to the HIPAA Security Rule along with the HIPAA Privacy Rule. It is also subject to the HITECH ACT when a healthcare group takes part in the Meaningful Use program.

The Security Rule largely is made up of physical, technical and administrative security measures to stop unauthorized access and disclosure of ePHI. These security measures should be carefully reviewed by HIPAA-covered entities, as the penalties for a breach of the HIPAA Security Rule can be major – in some instance even when there has been no authorized access to – or sharing of – PHI.

In Medical Terms, what is PHI ?

In HIPAA, PHI refers for protected health information, but PHI commonly is used to refer to patient health information or personal health information. This is all health information that is included in a medical record that refers to an individual that has been created, received, used, or is managed by a HIPAA-covered entity for the purposes of providing healthcare services or payment for healthcare services.

PHI may also refer to:

  • Private health insurance
  • Permanent health insurance#
  • Public health informatics
  • Public health institute
  • Phosphoexose Isomerase.

HIPAA Compliant Email Providers

HIPAA-covered outfits must make sure protected health information (PHI) shared via email is secured to stop unauthorized individuals from intercepting messages, and many opt to use HIPAA compliant email providers to ensure appropriate security measures are in placeto ensure the confidentiality, integrity, and availability of PHI.

There are a large number of HIPAA compliant email providers to opt for that can supply end-to-end encryption for messages. Some of the solutions need software to be hosted on your own infrastructure; others take care of all facets. Switching email provider does not necessarily mean you have to alter your email addresses. Many services allow you to keep your current email addresses and send messages as you usually would from your desktop.

All HIPAA compliant email providers must make sure their solution incorporates all of the security measure necessary under the HIPAA Security Rule. The solutions must have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1).

Once an email service provider incorporates all of those controls, the service can be thought of as HIPAA-compliant. However, it is also required that an email service provider complete a contract with a HIPAA-covered entity in the form of a business associate agreement. Only then can the email service be implemented.

HIPAA-covered entities should take care to remember that HIPAA-compliant email is not the charge of the service provider. The service provider must only ensure proper safeguards are incorporated. It is the responsibility of the covered entity to make sure the solution is set up correctly, that staff are shown how to use of email and are made aware of the allowable uses and disclosures of PHI.

An email service alone will not ensure compliance with all HIPAA requirements for email. Staff should also receive training on security awareness and be made familiar with the threats that can land in inboxes. Technologies should also be implemented to cut the risk of email-based attacks such as phishing. Some email service suppliers, but not all, review inbound messages and prevent spam, malware and phishing emails.

Is Encryption for Email Required under HIPAA?

While HIPAA compliant email providers encrypt all emails in transit, encryption is not required under HIPAA. The HIPAA Security Rule only requires outfits to review the need for encryption. A HIPAA-covered entity does not need to encrypt emails, if a different and equivalent control is used in its stead.

One such measure is the use of a secure email server located behind a firewall. In such instances, once a risk assessment has been conducted and the reasons for not encrypting emails has been recorded, encryption would not be necessary on all internal emails. Encryption would also not be required when sending emails to patients who have authorized a covered entity to communicate with them through email.

However, since most healthcare outfits must submit payment claims via email, contact other healthcare organizations and refer patients, it is necessary to send emails outside the security of the firewall. In such cases, encryption is required.

There are considerable dangers involved in sending sensitive information via email. Email is not a safe way of sending data. Emails must be created on one machine, be shared to an outbound email server, traverse the Internet, arrive at the recipient’s email server, before being delivered to the recipient’s device. Copies of emails can be on at least four unique machines, and messages can be intercepted in transit quite simply.

The Department of Health and Human Services has already sanctioned fines to covered entities that have implemented email services that are not HIPAA compliant. Phoenix Cardiac Surgery paid a $100,000 penalty for using insecure Internet-based email.

HIPAA Compliant Email Providers

Our list of HIPAA compliant email providers has been put together to save you time in your search for an adequate email service provider. The list of HIPAA compliant email providers is not thorough. There are many other service providers that provide email services for healthcare outfits that meet the requirements of HIPAA. However, the list below is a good place to begin.

All of these providers provide a HIPAA-compliant email service and are willing to complete a business associate agreement.

What is GDPR Special Category Data?

Under GDPR, firms have responsibility in relation to the personal data of data subjects, but there is also a different category of data that is dealt with differently – GDPR special category data.

What is GDPR special category data and how do the rules differ for managing that data.

GDPR Special Category Data

GDPR special category data is personal data of data subjects that is very sensitive, the exposure of which could significantly affect the rights and freedoms of data subjects and potentially be used against them for illegal discrimination.

GDPR special category data includes the following data:

  • Race and ethnicity
  • Religious or philosophical background
  • Political beliefs
  • Trade union subscriptions
  • Biometric data used to identify a person
  • Genetic info
  • Health history
  • Data linked to sexual preferences, sex life, and/or sexual orientation

Because these data elements are so sensitive, a firm must have a legitimate and legal reason for gathering, storing, transmitting, or processing these data. Firms are forbidden from gathering or processing these data unless:

  • Explicit authorization has been given from the data subject; or,
  • Processing is required in order to carry out obligations and exercise specific rights of the data controller for reasons related to employment, social security, and social protection; or,
  • Processing is necessary to safeguard the vital interests of data subjects where individuals are physically or legally incapable of providing consent; or,
  • Processing is required for the establishment, exercise, or defence of legal claims, for reasons of substantial public interest, or reasons of public interest in the area of public health; or,
  • For reasons of preventive or occupational medicine; or,
  • Processing is required for archiving purposes in the public interest, scientific, historical research, or statistical reasons; or,
  • Processing is linked to personal data which are manifestly made public by the data subject; or,
  • Processing is completed in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing is linked solely to the members or to former members of the body or to persons who have regular contact with it in relation to its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

The processing of all personal data must only take place if there is a legal reason for using the data, as referred to in Article 6 of the GDPR. Any company that needs to process special category data must review the requirements laid down in Article 9 of GDPR. Personal data related to criminal convictions and offenses are also particularly sensitive and dealt with on its own in Article 10 of GDPR.

If special category data are gathered, stored, processed, or transmitted data controllers must ensure that extra protections are put in place to ensure that information is appropriately secured.

What is Considered PHI Under HIPAA?

PHI, under HIPAA, is any identifiable health information that is used, maintained, managed, or transmitted by a HIPAA-covered outfit – such as a healthcare provider, health plan or health insurer, or a healthcare clearinghouse or a business associate of a HIPAA-covered entity – with regard to the provision of healthcare or financial payment for healthcare treatment or services.

It is not only past and existing health information that is labelled PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health linked to the provision of care or payment for treatment. PHI is health information in any guise, including physical records, electronic records, or oral information.

Therefore, PHI incorporates health records, health histories, lab test results, and medical invoices. Basically, all health information is referred to as PHI when it includes individual identifiers. Demographic information is also thought of as PHI under HIPAA Rules, as are many common identifiers including patient names, Social Security numbers, Driver’s license numbers, insurance details, and birthdays, when they are combined with health information.

The 18 identifiers that make health information PHI incorporate:

When is PHI not PHI?

There is an often witnessed misconception that all health information is considered PHI under HIPAA, but there are some exceptions to this.

First, it depends who takes a record of the information. A good example would be healthcare trackers – either physical devices worn on the body or apps on mobile devices. These devices can record health information like heart rate or blood pressure, which would be thought of as PHI under HIPAA Rules if the information was saved by a healthcare provider or was used by a healthcare plan.

However, HIPAA only relates HIPAA-covered entities and their business associates, so if the device manufacturer or app developer has not been hired by a HIPAA -covered entities and is a business associate, the information recorded would not be thought of as PHI under HIPAA.

The same applies to education or employment histories. A hospital may maintain data on its employees, which can include some health information – allergies or blood type for example – but HIPAA does not apply to employment records, and neither education histories.

Under HIPAA PHI is no longer PHI if all identifiers that can tie the information to an individual are taken away. If the above listed identifiers are taken away the health information is thought of as de-identified PHI. For de-identified PHI HIPAA Rules are not applicable any longer.

HIPAA Compliant Texting

HIPAA does not outright forbid sending PHI by text, but – in order for texting to be HIPAA compliant texting – security measures must be in place to ensure the confidentiality of PHI when it is at rest and on the move. There also has to be a strategy in place to manage who can access PHI, and what authorized personnel do with PHI when they access it.

Why It Is Safer to Forbid Texting PHI

There are many reasons why it is more secure for Covered Entities to prohibit texting PHI rather than permit it. These include – but are not restricted to – the lack of access controls, the lack of audit controls, and the lack of encryption – which although an “addressable” requirement of the HIPAA Security Act, is about the only possible way to ensure the security of PHI on the move.

Reviewing these reasons in more depth, with regards to access controls, anybody can pick up an unattended mobile device and read the messages it contains. Additionally, mobile devices can be lost or stolen – which not only potentially exposes PHI to unauthorized access, but the data in the messages can be used to commit insurance fraud or identity theft.

This is why the HIPAA regulations for text messaging – or any other form of electronic communication – state that audit controls are necessary to record when PHI is developed, modified, accessed, shared, or erased. It is simply impossible to implement audit trails for HIPAA compliant text messaging because the technology does not exist that can audit every possible operating system.

Even if there was a way to get around the HIPAA texting rules for access controls and audit controls, that would not make text messaging HIPAA compliant. There also has to be a way to stop the interception of plain text messages – or extraction of plain text messages from carriers’ servers – which is why the encryption of PHI in transit is strongly advised.

When Is Text Messaging HIPAA Compliant?

It was referred to above there are circumstances in which SMS text messaging can be HIPAA complaint, and the most common circumstance worries in relation to HIPAA compliant texting to patients. Texting patient information to patients is permitted by HIPAA provided the Covered Entity has warned the patient that the risk unauthorized disclosure exists and has obtained the patient’s permission to communicate by text. Both the warning and the consent must be recorded.

Other instances in which text messaging is HIPAA compliant include employers who supply onsite clinics as an employee health benefit, who provide self-insured health plans for employees, or who act as an intermediary between workers, healthcare providers, and health plans.

It can also be the case the U.S. Department of Health and Human Services waives the HIPAA rules for text messaging after a natural disaster like an earthquake or hurricane occurring. In these instances it may be some, but not all, rules relating to texting patient data, and the waiver may be for a fixed time period only or apply to Covered Entities of a certain nature (i.e. healthcare providers) within a geographical location. Waivers are never thorough.

One final instance in which text messaging is HIPAA compliant is when the Covered Entity has put in place a solution such as a HIPAA compliant messaging app that has the necessary controls and encryption to support HIPAA compliant texting. Even when these apps are deployed, it is still necessary to adhere with the Minimum Necessary Standard and the physical, technical, and administrative security measures of the HIPAA Security Rule.

HIPAA Compliant Text Messaging Apps

HIPAA compliant text messaging apps have become to go-to way of resolving the question of “is text messaging HIPAA compliant?” The messaging apps work in much the same manner as commercial apps such as WhatsApp, Facebook Messenger, and Skype – so users are familiar with how they operate – but they operate within a safe, encrypted network with access controls and audit controls to meet the requirements of the HIPAA Security Rule.

The most recent generation of HIPAA compliant text messaging apps do more than support HIPAA compliant texting. They allow HIPAA compliant voice and video calls, allow groups to work together remotely in a secure environment, and facilitate the sharing of files and images with other authorized users. When integrated with EMR systems, patient information can be sent straight from the text messaging app to the EMR system – saving users important time.

In relation to the security and integrity of PHI, all communications are saved on a private cloud and logically separated from other data. Via user-friendly admin control panels, Covered Entities can use granular role-based permissions and use messaging policies. The platforms can also be used to remotely erase and delete messages if a mobile device is lost or stolen, PIN-lock apps downloaded on mobile devices, and extract audit reports.

Indeed, the advanced reporting capabilities of most recent generation secure messaging systems can supply valuable insights for Covered Entities . The systems often include strong analytics packages that give Covered Entities insights into how different teams are communicating with each other and with separate departments. These insights permit Covered Entities to make data-driven decisions to further optimize HIPAA compliant communication policies.

Why is HIPAA Important to Patients?

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation and its significance should not be lost on people.

It introduced major amendment that benefited to the healthcare industry and patients when it was was introduced in 1996. Its initial aim was to address one particular issue: Insurance coverage for individuals that are between jobs. Prior to HIPAA being enacted employees faced a loss of insurance coverage when they were between jobs.

Another goal of HIPAA was to attempt to eliminate healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to limit access to health data to authorized persons.

HIPAA brought in numerous advantages for the healthcare industry to help with the move from paper records to electronic copies of health information. HIPAA has assisted in simplifying administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared safely.

The standards for capturing healthcare data and electronic transactions ensures everyone is using a similar strategy for compliance. Since all HIPAA-covered entities must use the same code sets and nationally recognized identifiers, this helps greatly with the transfer of electronic health information between healthcare suppliers, health plans, and other groups.

It could be said that the greatest benefits of HIPAA are for patients. HIPAA is important because it means that s healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities have to use multiple safeguards to protect sensitive personal and health information.

While no healthcare group wishes to expose sensitive data or have health information stolen, without HIPAA there would be no obligation on healthcare organizations to safeguard data – and no repercussions if they did not do so.

HIPAA put in place rules that require healthcare groups to control who has access to health data, limiting who can view health information and who that information can be sent to. HIPAA helps to ensure that any information shared to healthcare providers and health plans, or information that is set up by them, sent or stored by them, is subject to strict security controls. Patients are also given management over who their information is released to and who it is shared to.

HIPAA is vital for patients who want to take a more active role in their healthcare and want to download and review copies of their health information. Even with great care, healthcare bodies can make errors when recording health information. If patients are able to obtain copies, they can check for errors and ensure mistakes are addressed.

Obtaining copies of health information also means that patients can pass on information when they seek treatment from new healthcare providers/ Due to this tests do not need to be repeated and new healthcare providers have the entire health history of a patient to advise their decisions. Before the Introduction of the HIPAA Privacy Rule, there was no obligations on healthcare organizations to share copies of patients’ health information.

What is Protected Health Information?

Protected health information what we refer to as any health data created, received, stored, or shared out by HIPAA-covered entities and their business associates through the provision of healthcare, healthcare operations and healthcare services payment structures. This term, protected health information, is often abbreviated to PHI, or in the case of electronic health information, ePHI.

Defining HIPAA Protected Health Information

Protected health information is defined as anything that “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” which is:

  • Shared through electronic media;
  • Stored using electronic media; or
  • Shared or stored in any other form or medium.

Protected health information is made up of all individually identifiable health information such as demographic data, medical histories, test results, insurance information and other details used to identify a patient or supply healthcare services or healthcare coverage. ‘Protected’ means the information is safeguarded under the HIPAA Privacy Rule.

The Code of Federal Regulations defines protected health information and is applicable to health records. It is not applicable to education records, which are covered by other federal regulations, or records held by a HIPAA-covered entity related to its role as an employer. In the case of an employee-patient, protected health information does not include details stored regarding the employee by a covered entity in its role as an employer, only in its role as a healthcare supplier.

PHI does not incorporate individually identifiable health information of persons who have died more than 50 years ago.

Individually Identifiable Health Information Defined

When individually identifiable information is utilized by a HIPAA covered outfit or business associate in relation to healthcare services or payment it is classified as protected health information.

18 identifiers have been defined that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is thought of as identifiable. If PHI has all of these identifiers deleted, it is no longer thought of as protected health information. (see de-identification of protected health information)

  1. Names (either full or last name and initial)
  2. All geographical identifiers below a state, aside from the initial three digits of a zip code if, according to the existing publicly available data from the U.S. Bureau of the Census: the geographic unit formed by linking up all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (apart from year) directly related to a person
  4. Contact Phone Numbers
  5. Contact Fax numbers
  6. Contact Email addresses
  7. Specific Social Security numbers
  8. Details of Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account details
  11. Certificate/license numbers
  12. Vehicle identifiers (including serial numbers and license plate numbers)
  13. Device identifiers and serial numbers
  14. URLs/Web Uniform Resource Locators
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers such as finger, retinal and voice prints
  17. Full face photographic images and any similar pictures
  18. All other unique identifying number, characteristic, or code aside from the unique code assigned by the investigator to code the data

Is Google Voice HIPAA Compliant?

Google Voice is a widely-used and intuitive speech communication platform that includes voicemail, voicemail transcription to text, the functionality to share text messages free of charge, and many other useful things. It is therefore no shock that many healthcare workers would like to use the service at work, as well as for personal use.

For the service to be implemented in healthcare along with any protected health information (PHI) it must be possible to use it in a HIPAA compliant manner.

This means the service must be included in the conduit exemption rule – which was passed when the HIPAA Omnibus Final Rule became active – or it must incorporate a variety of controls and security measures to meet the requirements of the HIPAA Security Rule.

As is the case with SMS, faxing and email, Google Voice is not referred to as a conduit which means that in order for Google Voice to be HIPAA compliant, the service would fulfil the obligations of the HIPAA Security Rule.

There must be access and authentication controls, audit controls, integrity controls and transmission security in operation for messages broadcast through the service. Google would also need to guarantee that any data held on its servers are safeguarded to the standards required for HIPAA. HIPAA-covered bodies would also need to be given satisfactory assurances that is the case, in the form of a HIPAA-compliant business associate agreement (BAA).

Therefore, before Google Voice could be implemented along with any protected health information, the covered body must sign a BAA with Google.

Google is keen to help healthcare groups using its services, and is happy to sign a business associate agreement for G Suite, but Google does not include its free consumer services in that agreement. Google does not advise companies use its free consumer services for business use, as they have been created with consumers’ personal use in mind.

Google Voice is a consumer service and is not part of G Suite, Google Apps, or Google Cloud and neither is it included in a BAA.

Google Voice cannot be referred to as HIPAA compliant and this will remain to be the case until such time as that Google releases a version of Google Voice for companies, and will incorporate it in its business associate agreement, it should not be used by healthcare groups or healthcare workers in a professional capacity.

Implementing Google Voice with any protected health information would currently be breaking HIPAA Regulations.

HIPAA Stories

Listed here are a variety of HIPAA articles that give further information and guidance on HIPAA compliance for healthcare suppliers, health plans, healthcare clearinghouses, and business associates of covered outfits. These articles include corrections of HIPAA Rules, proposed amendments, and new guidance published by the Department of Health and Human Services’ Office for Civil Rights, the Centers for Medicare and Medicaid Services, the Food and Drug Administration, Federal Trade Commission, National Institute for Standards and Technology (NIST) and other public and private sector groups.

HIPAA Violations Stories

Our HIPAA violation news articles give more information on confirmed HIPAA violations, civil monetary fines for HIPAA violations, and settlements reached with covered outfits by the HHS’ Office for Civil Rights, state attorneys general, and other regulators. You will also see details of legal actions that have been submitted in relation to HIPAA Privacy, Security and Breach Notification Rule violations.

HIPAA Breach Stories

Our HIPAA breach articles section includes reports of healthcare data breaches that have impacted greater than 500 individuals, including hacking and IT incidents, improper deletion of physical protected health information, loss and theft of devices including ePHI, unauthorized sharing of PHI and other insider and third-party mistakes that have resulted in the exposure or theft of sensitive health data.