What is Considered PHI Under HIPAA?

Protected Health Information (PHI) under HIPAA includes any identifiable health information, including past, existing, and future medical data, utilized, maintained, managed, or transmitted by HIPAA-covered entities such as healthcare providers, health plans, insurers, clearinghouses, or their business associates, relating to healthcare provision or financial payment, covering physical records, electronic records, oral information, health histories, lab results, medical invoices, and demographic details, alongside common identifiers like patient names, Social Security numbers, Driver’s license numbers, insurance details, and birthdays, with 18 specific identifiers listed, establishing a comprehensive framework for safeguarding individual privacy and confidentiality in the healthcare sector.

The list of 18 identifiers, as outlined by HIPAA, categorizes health information as PHI. These identifiers include a range of data:

  • Names
  • Geographic data
  • Dates (birth, admission, discharge, death)
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web Uniform Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs or comparable images
  • Any other unique identifying number, characteristic, or code

When is PHI not PHI?

The determination of whether health information qualifies as PHI under HIPAA is a process that involves more than blanket categorization. Contrary to widespread belief, not every piece of health-related data automatically falls under the comprehensive umbrella of PHI. This distinction becomes particularly apparent when considering the intricate factors surrounding the entity responsible for recording and managing the data.

Take for example the use of health trackers, both physical devices worn on the body and applications on mobile devices. this technology has the capability to record an array of health information, ranging from heart rate to blood pressure. However, the classification of this information as PHI under HIPAA depends on the context in which it is stored or utilized. If the recorded health information from these trackers is saved by a healthcare provider or employed by a healthcare plan, it falls under the PHI category. The involvement of HIPAA-covered entities or their business associates in the handling of this data triggers the regulatory framework set by HIPAA. If the device manufacturer or app developer is not directly engaged by a HIPAA-covered entity or does not function as a business associate, the recorded information may not be considered PHI under the purview of HIPAA.

Education or Employment Histories

The scope of HIPAA becomes more apparent when analyzing education or employment histories, which may potentially contain fragments of health-related information. In instances where hospitals retain employee data containing details such as allergies or blood type, it is important to recognize that HIPAA does not extend its regulatory scope to cover employment records or education histories. These particular types of records lie outside the purview of HIPAA regulations, emphasizing the law’s specificity in governing healthcare-related information exclusively within the domain of HIPAA-covered entities and their designated business associates. This approach highlights the need for a discerning understanding of the boundaries set by HIPAA, reinforcing the notion that its regulatory framework is tailored to the management and protection of healthcare information within the defined healthcare context.

De-Identification and Exception

PHI loses its classification under HIPAA when all identifiers connecting the information to an individual are meticulously removed. This process of de-identification transforms the health information into what is known as de-identified PHI. In this state, personal identifiers such as names, Social Security numbers, and other distinguishing features are stripped away, rendering the data exempt from HIPAA rules. This exception, key to the regulatory framework, emphasizes the importance of safeguarding individual privacy. Entities can successfully adhere to healthcare regulations by ensuring the removal of identifying elements, adhering to the principles of HIPAA and contributing to the overarching goal of preserving the confidentiality and privacy of individuals’ health data. A clear understanding of these challenges is necessary for both healthcare providers and individuals, as it facilitates the development of a robust framework for the secure handling of health information within the bounds of HIPAA regulations.

Best Practices for Securing PHI

Safeguarding Protected Health Information (PHI) is key to maintaining the trust and confidentiality of patients. Implementing robust measures not only aligns with the mandates of the HIPAA but also establishes a foundation for a secure and compliant healthcare environment. These measures include:

1.Risk AssessmentRegularly assess systems, processes, and technologies to identify vulnerabilities.
2.Encryption and DecryptionImplement encryption for secure transmission and storage of PHI.
3.Access ControlsUse unique user credentials and role-based access to restrict unauthorized entry.
4.Training and AwarenessConduct comprehensive training programs for staff on security protocols and privacy policies.
5.Secure Communication ChannelsUtilize encrypted email and secure messaging systems for protected data transmission.
6.Physical Security MeasuresSecure servers, data centers, and paper records to prevent unauthorized access.
7.Incident Response PlanDevelop and test a plan outlining steps to be taken in case of a security breach.
8.Regular Audits and MonitoringConduct routine audits and implement continuous monitoring mechanisms.
9.Vendor ManagementEstablish robust practices for assessing and ensuring vendor HIPAA compliance.
10.Data Backups and RecoveryRegularly back up PHI and establish comprehensive data recovery procedures.
11.HIPAA Compliance ReviewsConduct regular internal reviews and external audits to assess compliance.
12.Secure Disposal of PHIImplement proper disposal practices for paper records and electronic devices.

A comprehensive understanding of what falls under PHI and the circumstances under which it is exempt from HIPAA regulations is necessary for both healthcare providers and patients. HIPAA’s goal is to protect the confidentiality and privacy of sensitive health information, and a comprehensive understanding of the exceptions ensures that the regulations are applied judiciously. Adhering to HIPAA guidelines is not only a legal requirement but also beneficial in building trust and maintaining the integrity of the healthcare system by safeguarding the privacy of individuals’ health data.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA