What is Protected Health Information?

Protected health information is a term that is defined in the Health Insurance Portability and Accountability Act (HIPAA) and applies to health data containing information that would allow an individual to be identified.

Health information is considered protected health information if it contains at least one of 18 different identifiers. If this information is removed, the information is classed as de-identified data, and is no longer covered by the requirements of the HIPAA Privacy and Security Rules.

The 18 identifiers that turn health information into protected health information are:

• Full name or last name and first initial
• Geographical identifiers smaller than a state
• Dates directly related to an individual (other than a year)
• Phone Numbers
• Email addresses
• Fax numbers
• Social Security number
• Medical record number
• Health insurance beneficiary number
• Account numbers
• Certificate/license numbers
• Vehicle identifiers, including license plate numbers and serial numbers
• Device identifiers/serial numbers
• Web Uniform Resource Locators (URLs)
• IP addresses
• Biometric identifiers (voice and fingerprints, iris/retina scans etc.)
• Full face photographic images and any other images that would permit identification
• Any other unique identifying numbers, characteristics, or codes

Protected health information includes a wide range of health information and demographic data that relate to an individual’s past, present, or future physical and/or mental health that is used for healthcare operations, payment for healthcare services, or the provision of healthcare. The term is often shortened to PHI or ePHI if it is in electronic form.

PHI/ePHI therefore include all information contained in medical records such as test results, medical histories, health insurance information, and identification numbers that are used to identify a patient or health plan member.

Under HIPAA, protected health information relates to any identifiable health information that is created, received, stored, or transmitted by a HIPAA-covered entity or business associate in relation to healthcare operations, the provision of healthcare, or payment for healthcare services.

Protected health information only applies to HIPAA-covered entities – Healthcare providers, health plans, and healthcare clearinghouses and their business associates: Companies, organizations, or individuals who perform functions on behalf of HIPAA-covered entities that require access to health data.

PHI does not include education or employment records, even though they may contain the same information and identifiers as PHI. In such cases, the information is simply referred to as personally identifiable information (PII).