What is Considered PHI under HIPAA?

PHI is data that is secured by the legislation known as HIPAA. It includes all health information that can be linked to a person, which under HIPAA means protected health information that has one or more of the stated 18 identifiers listed below.

It (PHI) only refers to data held on patients or health plan users. It does not refer to information stated in educational and employment histories, such as includes health information held by a HIPAA covered entity in its duty an employer.

PHI is only defined as PHI when an individual could be identified from the data provided. If all identifiers are deleted from health data, it is no more though of as protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.

If one ore more of these 18 identifiers are stripped away then the information is not longer thought of as PHI.

How Must HIPAA Protected Health Information be Safeguarded?

The HIPAA Security Rule states that all HIPAA covered entities must bolster their security to avoid reasonably expected threats infiltrating the security of PHI. Covered entities must use strong security measures safeguards to ensure the confidentiality, integrity, and availability of PHI. HIPAA is not technology specific and the exact safeguards that should be used are left up to the covered entity to choose.

HIPAA semands that physical, technical, and administrative security measures and softwares to be used. Technologies that provide encryption software and firewalls are classified as technical safeguards. Physical security measures for PHI data include keeping physical records and electronic devices that store PHI under lock and key. Administrative measures include setting access controls to manage who can view PHI information and conducting security awareness training.

Why Must HIPAA Be Protected?

If you are employed in healthcare sector or wish to do business with healthcare clients with the need for access to health data, you are obligated to adhere with HIPAA rules. The HIPAA Security Rule demands that safeguards be used so that the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places restrictions the uses and transmission of PHI.

Should you violate any part of the HIPAA Privacy and Security Rules and you could be hit with a financial penalty. Criminal convictions are even possible for HIPAA breaches. Claiming you were not aware of HIPAA law is not a valid argument should this happen.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA