What is PHI in HIPAA?

May 7, 2024Olga Druchek
HIPAA
What is PHI in HIPAA?

Protected Health Information, commonly called PHI, is any data that relates to a person's health condition, medical history, health status, or treatment. The sensitive and private information includes information about doctor's appointments, prescription details and tests in the laboratory, results and insurance details, and other personal information. The importance of PHI can not be overemphasized as it plays an essential part in the care of patients and healthcare operations and is subject to strict privacy laws.

In a time when we rely heavily on electronic systems to store and share information about patients, health professionals securing the privacy of patient health data has become more critical than ever before.

What does PHI mean in the field of healthcare?

The acronym "PHI" is for secure health data, or HIPAA data. HIPAA data is protected by the Health Insurance Portability and Accountability Act (HIPAA), which stipulates that healthcare providers' PHI be safeguarded. Healthcare organizations are required to understand what constitutes PHI.

How do I define PHI?

PHI is the term used to describe HIPAA Protected Health Information (PHI), which is also known as HIPAA records, that includes all information in a person's medical record that could be used to identify the individual and is generated, utilized or disclosed during the course of treatment or diagnosis. This definition includes a variety of identification numbers and other information that is recorded during regular care and billing procedures. Securely implemented safeguards are required when collecting PHI since it is an essential aspect of the healthcare system.

Below, we've listed our 18 identifiers for HIPAA Protected Health Information (PHI) that are considered to be PHI, similar to guidelines from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Some examples of PHI are:

  1. Name
  2. Address (including subdivisions that are smaller than the state, like street address or city, county and zip codes)
  3. Any date (except years) which are directly connected to an individual, such as birthday, admission date or discharge date, date of death, or the precise age of those who are older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health Plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Serial numbers, vehicle identifiers or license number plates
  13. Device identifiers, or serial numbers
  14. Web URLs
  15. IP address
  16. Fingerprints, biometric identifications, or voice fingerprints
  17. Photos of full-face
  18. Other unique identifying numbers or other characteristics

What exactly is EPHI?

Electronic protected health data (ePHI) refers to any information about health that is stored, created or transmitted electronically. The HIPAA Security Rule provides specific guidelines that define the methods used in evaluating electronic health information.

Data is stored on media such as:

  • Personal computers equipped with internal hard drives that can be used for home, work or while on the road
  • External hard drives for portable devices
  • Magnetic tape
  • Storage devices that are removable, including USB drives, CDs, DVDs, and SD cards.
  • Smartphones, as well as PDAs

Data transmission methods that transmit data through wi-fi Ethernet or modem DSL and cable connections. This includes:

  • Email
  • Transfers of files

Are there distinctions among PII, PHI, and IIHI?

It's crucial to differentiate between personally identifiable information (PII), protected health information (PHI), and a third category: individually identifiable health information (IIHI).

  • PII refers to any information that can be used to identify an individual. This includes both non-sensitive data, which can be shared publicly without causing harm, and sensitive data, which could harm the individual if revealed. PII is broader than just health information; it also covers things like tax details, credit card numbers, and Social Security numbers when they're used outside of healthcare activities.
  • PHI refers to information that is used in a medical context. Organizations that handle PHI are always required to follow HIPAA rules. On the other hand, protecting PII is only mandatory in certain situations.
  • IIHI refers to health information that can identify an individual, essentially serving as PII within a healthcare context. Not all IIHI is safeguarded by HIPAA; only IIHI that has been transmitted or maintained by a HIPAA-covered entity qualifies as PHI. For instance, if a patient records daily blood pressure readings on a form containing their name, address, and phone number but has not yet sent it to their doctor, this constitutes IIHI, which is not PHI. While it may be sensitive, it is unprotected due to the lack of transmission.

In other words, IIHI becomes PHI if it is:

  • transmitted by electronic media, such as email;
  • maintained in electronic media, such as on a server or
  • transmitted or maintained in any other form or medium, including on a paper document stored in a physical location.

PHI and HIPAA

The HIPAA Privacy Rule offers federal protections for PHI held through Covered Entities (CEs) and allows patients to have rights over this information, in addition to guidelines for healthcare providers on how to secure PHI. The Privacy Rule permits PHI to be released due to patient treatment, but it has strict guidelines to ensure the security and integrity of the information as it is being stored or processed. There are specific safeguards in the rule that require complete physical, administrative, and technological security measures to warrant the integrity, confidentiality, and safety of PHI and ensure that they are adequately protected.

Security measures are essential when it comes to protected medical details (PHI). There are a variety of measures organizations must implement to assure the security, integrity, confidentiality and accessibility of PHI. A key and crucial security measure is encryption. It guarantees that only authorized individuals can access PHI with a password or additional security precautions.

Other security measures are:

  • Firewalls
  • Antivirus Software
  • Intrusion Detection System
  • Regular Backups

Restricting access to PHI is also essential. The organization should limit access to employees needing it to accomplish their tasks. Access controls should be implemented to stop unauthorized access to and the usage of PHI. In addition, organizations must have procedures and policies in place to grant the right to access by the job duties.

A proper treatment of PHI is equally crucial. Employees must be taught how to manage PHI safely in both electronic and hard copy formats. This includes guidelines for creating secure passwords and notifying data breaches quickly. Regular workshops reinforce these methods and ensure that employees are informed of the desirable techniques.

How to protect PHI?

By implementing these security measures, organizations can significantly reduce the risk of unauthorized access to PHI. Regular audits and risk assessments are also crucial in identifying any vulnerabilities and addressing them promptly. Additionally, organizations should stay updated with the latest industry standards and regulations to ensure compliance and maintain a strong security posture. Overall, a comprehensive and multi-layered approach is necessary to protect PHI and safeguard patient privacy.

Employee education and training programs are also vital in preventing breaches. By ensuring that all staff members are aware of their responsibilities and the importance of protecting PHI, organizations can foster a culture of security consciousness. This includes training employees on how to recognize and respond to potential threats such as phishing emails or suspicious requests for patient information. Ongoing monitoring and incident response plans are equally important, enabling organizations to detect and respond to security incidents swiftly, minimizing potential damage.

To further enhance PHI security, organizations should implement:

  1. Robust Access Controls: Limit access to PHI only to those who need it. This means setting up permissions and roles based on job requirements.
  2. Strong Password Policies: Ensure that all users create complex passwords that are difficult to guess. Passwords should also be changed regularly.
  3. Multi-Factor Authentication (MFA): Add an extra layer of security by requiring users to verify their identity through another method, such as a text message or authentication app.
  4. Regular Review of User Access: Conduct periodic reviews of who has access to PHI and make necessary adjustments based on changes in roles or employment status.
  5. System Log Audits: Regularly check system logs to identify unauthorized access attempts or unusual activity.
  6. Data Encryption: To protect it from unauthorised access or breaches, Encrypt all PHI data, both when it's being sent (in transit) and when it's stored (at rest).
  7. De-identification:  Remove or anonymize any identifying information from PHI whenever possible, reducing the risk of a data breach and ensuring compliance with privacy regulations.

By implementing these measures, organizations can significantly reduce the risk of unauthorized access to PHI and ensure compliance with HIPAA regulations.

De-identification as part of protection PHI

De-identification is one of the crucial aspects of protecting PHI. By removing or modifying identifying information, organizations can reduce the risk associated with data breaches while still being able to use the data for research, analysis, or other purposes. Implementing robust data governance practices, such as data classification and retention policies, can help ensure that PHI is only accessed and used by authorized individuals for approved purposes.

Safeguarding PHI requires a comprehensive approach that combines:

  • Technical safeguards
  • Employee education and training
  • Ongoing monitoring
  • Access controls
  • Encryption
  • De-identification

Organizations must remain vigilant in protecting patient privacy and adapting their security measures to address evolving threats in the digital landscape.

This article was originally published on May 7, 2024. It was last updated on July 27, 2024.

ApicomPro provides de-identification/anonymization for different data formats.