PHI, under HIPAA, is any identifiable health information that is used, maintained, managed, or transmitted by a HIPAA-covered outfit – such as a healthcare provider, health plan or health insurer, or a healthcare clearinghouse or a business associate of a HIPAA-covered entity – with regard to the provision of healthcare or financial payment for healthcare treatment or services.
It is not only past and existing health information that is labelled PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health linked to the provision of care or payment for treatment. PHI is health information in any guise, including physical records, electronic records, or oral information.
Therefore, PHI incorporates health records, health histories, lab test results, and medical invoices. Basically, all health information is referred to as PHI when it includes individual identifiers. Demographic information is also thought of as PHI under HIPAA Rules, as are many common identifiers including patient names, Social Security numbers, Driver’s license numbers, insurance details, and birthdays, when they are combined with health information.
The 18 identifiers that make health information PHI incorporate:
When is PHI not PHI?
There is an often witnessed misconception that all health information is considered PHI under HIPAA, but there are some exceptions to this.
First, it depends who takes a record of the information. A good example would be healthcare trackers – either physical devices worn on the body or apps on mobile devices. These devices can record health information like heart rate or blood pressure, which would be thought of as PHI under HIPAA Rules if the information was saved by a healthcare provider or was used by a healthcare plan.
However, HIPAA only relates HIPAA-covered entities and their business associates, so if the device manufacturer or app developer has not been hired by a HIPAA -covered entities and is a business associate, the information recorded would not be thought of as PHI under HIPAA.
The same applies to education or employment histories. A hospital may maintain data on its employees, which can include some health information – allergies or blood type for example – but HIPAA does not apply to employment records, and neither education histories.
Under HIPAA PHI is no longer PHI if all identifiers that can tie the information to an individual are taken away. If the above listed identifiers are taken away the health information is thought of as de-identified PHI. For de-identified PHI HIPAA Rules are not applicable any longer.