PHI stands for Protected Health Information, something that is often referred to in the Health Insurance Portability and Accountability Act (HIPAA) and similar legislation including the Health Information Technology for Economic and Clinical Health Act (HITECH).
PHI includes any data linked to or regarding a patient, a patient’s healthcare or the payment for that healthcare that is created, received, stored, or sent by HIPAA-covered groups.
A HIPAA-covered group normally includes healthcare providers, health plans, clearinghouses and all business associates or third-party service providers who have can view or download Protected Health Information. Measures must be put in place by these groups to protect against the unauthorized disclosure, changes or destroying Protected Health Information as is mentioned in the HIPAA Privacy Rule.
PHI was defined by the Department of Health & Human Services’ Office for Civil Rights (OCR) as any Personal Identifying Information that – individually or linked up – could be used to identify a specific person, their past, present or future healthcare, or way that they paid. PHI is not information recorded in education records and neither information that is managed by healthcare organizations in their role as an employer.
There are 18 different unique identifiers regarded as PHI:
- Geographic data
- Any elements of dates
- Telephone contact information
- FAX data
- Email contact
- Social Security data
- Medical records
- Health plan beneficiary numbers
- Account numbers
- Vehicle identifiers and serial numbers including license plates
- All device identifiers and serials
- Web site addresses
- IP details
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Complete face photos and similar images
- Any unique identifying digits, characteristic or code
PHI is no longer PHI when all eighteen unique identifiers are removed for marketing or research reasons. However, the data is still considered “protected” under the 1981 Common Rule – an Act of Congress that states the baseline standard of ethics under which any government-funded research in the US is maintained. Almost every U.S. academic institutions hold their experts to this standard of ethics regardless of funding.
PHI vs ePHI
ePHI refers electronic Protected Health Information and related to any PHI that is created, received, saved, or shared electronically by HIPAA-covered groups. Due to the simplicity with which electronically-stored data can be viewed and shared, ePHI is subject to the HIPAA Security Rule along with the HIPAA Privacy Rule. It is also subject to the HITECH ACT when a healthcare group takes part in the Meaningful Use program.
The Security Rule largely is made up of physical, technical and administrative security measures to stop unauthorized access and disclosure of ePHI. These security measures should be carefully reviewed by HIPAA-covered entities, as the penalties for a breach of the HIPAA Security Rule can be major – in some instance even when there has been no authorized access to – or sharing of – PHI.
In Medical Terms, what is PHI ?
In HIPAA, PHI refers for protected health information, but PHI commonly is used to refer to patient health information or personal health information. This is all health information that is included in a medical record that refers to an individual that has been created, received, used, or is managed by a HIPAA-covered entity for the purposes of providing healthcare services or payment for healthcare services.
PHI may also refer to:
- Private health insurance
- Permanent health insurance#
- Public health informatics
- Public health institute
- Phosphoexose Isomerase.