What is Protected Health Information?

Protected health information what we refer to as any health data created, received, stored, or shared out by HIPAA-covered entities and their business associates through the provision of healthcare, healthcare operations and healthcare services payment structures. This term, protected health information, is often abbreviated to PHI, or in the case of electronic health information, ePHI.

Defining HIPAA Protected Health Information

Protected health information is defined as anything that “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” which is:

  • Shared through electronic media;
  • Stored using electronic media; or
  • Shared or stored in any other form or medium.

Protected health information is made up of all individually identifiable health information such as demographic data, medical histories, test results, insurance information and other details used to identify a patient or supply healthcare services or healthcare coverage. ‘Protected’ means the information is safeguarded under the HIPAA Privacy Rule.

The Code of Federal Regulations defines protected health information and is applicable to health records. It is not applicable to education records, which are covered by other federal regulations, or records held by a HIPAA-covered entity related to its role as an employer. In the case of an employee-patient, protected health information does not include details stored regarding the employee by a covered entity in its role as an employer, only in its role as a healthcare supplier.

PHI does not incorporate individually identifiable health information of persons who have died more than 50 years ago.

Individually Identifiable Health Information Defined

When individually identifiable information is utilized by a HIPAA covered outfit or business associate in relation to healthcare services or payment it is classified as protected health information.

18 identifiers have been defined that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is thought of as identifiable. If PHI has all of these identifiers deleted, it is no longer thought of as protected health information. (see de-identification of protected health information)

  1. Names (either full or last name and initial)
  2. All geographical identifiers below a state, aside from the initial three digits of a zip code if, according to the existing publicly available data from the U.S. Bureau of the Census: the geographic unit formed by linking up all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (apart from year) directly related to a person
  4. Contact Phone Numbers
  5. Contact Fax numbers
  6. Contact Email addresses
  7. Specific Social Security numbers
  8. Details of Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account details
  11. Certificate/license numbers
  12. Vehicle identifiers (including serial numbers and license plate numbers)
  13. Device identifiers and serial numbers
  14. URLs/Web Uniform Resource Locators
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers such as finger, retinal and voice prints
  17. Full face photographic images and any similar pictures
  18. All other unique identifying number, characteristic, or code aside from the unique code assigned by the investigator to code the data