Is a phone number PHI?

Is a phone number PHI?

The collection, storage, or use of a phone number by a healthcare provider, health plan, healthcare clearinghouse, or business associate of these entities is considered PHI.
For example, a hospital's patient records may include a phone number associated with a medical history, treatment information, or health insurance details that can identify an individual. For this case phone number is PHI.
Alternatively, a phone number stored in a non-healthcare database, such as a customer service login, a retail store, or a contact list on a personal phone, is not protected health information.

The relevant section of HIPAA for this is 164 CFR 514 (b)(2)(i)(d), which specifies:

(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

Is it different when health information is associated with a phone number?

Regarding phone numbers linked to identifiable health information, healthcare providers should be cautious. Patient data and privacy are protected by rigorous security protocols in healthcare settings. HIPAA does not require safeguards for non-PHI phone numbers. It is possible to treat them as regular contact information.

See also: What is PHI in HIPAA?

Phone number protection best practices

Privacy breaches may result if patient information is mishandled or exposed, potentially resulting in unwanted contact, identity theft, or discrimination. HIPAA compliance requires safeguarding PHI, including phone numbers, as part of a broader commitment to data security. These are some of the best practices:

  1. Control access to PHI strictly: Only allow authorized personnel access to PHI. Use role-based access controls to limit viewing and handling to relevant staff. Monitor access regularly. Regularly review access controls to ensure they remain up to date. Implement two-factor authentication for remote access.
  2. Using secure communication channels: When sharing PHI, use secure, HIPAA-compliant communication methods such as email complaints to the HIPAA. Encrypt and secure emails, texts, and other electronic communications containing phone numbers.
  3. Data de-identification and anonymization : All data should be de-identified and anonymized whenever possible. Data should only be kept for as long as needed and should be securely destroyed when no longer needed. Employees should be trained on how to handle personal health information.
  4. Policies and procedures: To handle personal health information, such as phone numbers, policies and procedures should be developed and implemented. Make sure these policies are regularly updated and comply with current HIPAA requirements.
  5. HIPAA training: Employees should be trained on policies and procedures and regularly reminded to follow them. Employees should be held accountable for any violation of these policies.

Conclusion

In conclusion, when linked to identifiable health information, phone numbers are PHI  and must be handled with the utmost care in healthcare settings. Compliance with HIPAA mandates strict security protocols to protect patient privacy and prevent breaches. Healthcare providers must implement best practices such as controlling access to PHI, using secure communication channels, de-identifying data, and establishing comprehensive policies and procedures. Regular employee training and accountability are also essential to ensure ongoing adherence to these protocols. Healthcare organizations can protect patient privacy and maintain trust by rigorously safeguarding PHI, including phone numbers.