Any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity is considered as PHi under HIPAA.
A HIPAA-covered entity refers to a healthcare provider, health plan or health insurance firm or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the supply of healthcare or payment for healthcare services.
It is not only former and current health information that is considered PHI under HIPAA Regulations, but also future information about medical conditions or physical and mental health associated to the provision of care or payment for treatment. PHI is health information in any shape or form, including physical records, electronic records, or spoken data.
Therefore, PHI is health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it features individual identifiers. Demographic information is also referred to as PHI under HIPAA Rules, as are many common identifiers such as patient names, Social Security numbers, Driver’s license numbers, insurance details, and birthday information, when they are connected with health information.
The 18 identifiers that make health information PHI include:
One or more of these identifiers transforms health information into PHI and PHI HIPAA Privacy Rule restrictions will then apply, which control uses and sharing of the information. HIPAA covered entities and their business associates will also need to ensure proper technical, physical, and administrative safeguards are established to ensure the confidentiality, integrity, and availability of PHI, as stipulated in the HIPAA Security Rule.
When is PHI not Considered PHI?
A common mistake is thinking that all health information is considered PHI under HIPAA as there are some exceptions to this.
First, it depends who captures the information. A good example would be health trackers – such as physical devices worn on the body or apps on mobile phones. These devices can track health information including heart rate or blood pressure, which would be considered PHI under HIPAA Rules if the information was captured by a healthcare provider or was used by a health plan.
However, HIPAA only governs HIPAA-covered entities and their business associates, so if the device manufacturer or app developer has not been hired by a HIPAA -covered entities and is a business associate, the information recorded would not be thought of as PHI under HIPAA.
The same applies to education or employment histories. A hospital may save data on its employees, which can incorporate some health data – allergies or blood type for example – but HIPAA does not apply to employment history nor education records.
Under HIPAA PHI is no longer considered as PHI ifall identifiers that can tie the information to an individual are removed. If the above identifiers are deleted the health information is thought of as de-identified PHI. For de-identified PHI HIPAA Rules no longer govern it.