The term PHI is commonly used in the healthcare industry but what does PHI stand for and what information does it include?
PHI is an acronym of protected health information: A broad term that includes any information related to the health status of an individual, the provision of healthcare, or payment for healthcare in the past, present or future that would allow an individual to be identified. PHI includes medical records and medical histories, health insurance information, Social Security numbers, demographic information, and health information used for day-to-day healthcare operations.
The protected aspect of the term means that the information is covered by the HIPAA Rules. The HIPAA Privacy Rule places restrictions on the allowable uses and disclosures of PHI, while the HIPAA Security Rule requires safeguards to be implemented to keep PHI safe, secure, and confidential.
Under HIPAA, the ability to identify an individual from PHI means it contains one or more of 18 identifiers. If all 18 identifiers are removed from a data set through the Safe Harbor Method or Statistical method, the information is no longer considered PHI and is therefore not subject to the provisions of the HIPAA Privacy Rule.
The 18 identifiers that turns health information into protected health information are:
- Full name or last name and first initial
- Geographical identifiers smaller than a state except the initial three digits of a zip code provided that geographical
- unit represented by those digits contains more than 20,000 people
- Dates, other than a year, that are directly related to an individual
- Phone Numbers
- Email addresses
- Fax numbers
- Social Security number
- Medical record number
- Health insurance beneficiary number
- Account numbers
- Certificate/license numbers
- Vehicle identifiers, including license plate numbers and serial numbers
- Device identifiers/serial numbers
- Web Uniform Resource Locators (URLs)
- IP addresses
- Biometric identifiers (Fingerprints, voice prints, retina scans etc.)
- Full face photographic images and any other images that would permit identification
- Any other unique identifying numbers, characteristics, or codes
The term PHI applies to HIPAA-covered entities and their business associates. HIPAA-covered entities include healthcare providers, health plans, and healthcare clearinghouses that transmit electronic protected health information in connection with transactions covered by HHS standards. A business associate is a company, organization, or individual that performs tasks on behalf of a HIPAA-covered entity that requires them to view or use PHI.
PHI does not apply to entities not covered by HIPAA. For example, an individual’s heart rate data along with one of the above identifiers would be classed as PHI if it was recorded by a physician at a hospital, but not if the information was collected by a personal device such as a fitness tracker. Health information contained in employment records or educational records are not considered PHI.