What Is PHI?
PHI stands for Protected Health Information and refers to a broad range of information contained in either digital (e.g., electronic health records or EHR) or paper-based medical records that can be used to identify an individual. Data from medical records that are considered PHI encompasses anything created, used, or disclosed in the course of providing healthcare services.
This includes all data that relates to an individual’s past, present, or future health, the delivery of healthcare to an individual, or the payment for healthcare treatment. At a high level, PHI includes:
- Billing information
- Conversations between doctors and nurses about a patient
- Patient-identifiable information in a health insurance company’s computer system
The Privacy and Security Rules in the Health Insurance Portability and Accountability Act (HIPAA) define what data is considered PHI. HIPAA rules also direct how organizations collect, create, engage with, share, transmit, maintain, or store PHI to protect this data. According to HIPAA, administrative, physical, and technical safeguards must be in place to ensure the privacy, integrity, and availability of PHI.
Organizations and PHI
Covered entities and business associates must comply with HIPAA are any person or organization that provides treatment, payment, or is involved with operations related to healthcare.
Covered entities are primarily healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers include doctors, clinics, dentists, ophthalmologists, psychologists, psychiatrists, nursing homes, chiropractors, pharmacies, hospitals, and other specialty providers. Health plans include health insurance companies, company health plans, PPOs, HMOs, Medicare, and Medicaid.
In addition, schools and employers can fall under the definition of a health plan if they handle PHI to manage health plan enrollment.
Business Associates of Healthcare Providers
A business associate is a vendor, contractor, or service provider who has access to, discloses, or uses PHI on behalf of a covered entity. This includes creating, transmitting, or storing PHI, or using it in a hosted application (e.g., websites, email systems, electronic health records or EHR, laboratory information management system or LIMS).
What is ePHI?
ePHI is Electronic Protected Health Information. It includes all individually identifiable health information created, maintained, or transmitted electronically by any organization regulated by HIPAA.
This includes PHI in computers, web portals, cloud-based applications, mobile devices, wearables, and dictation devices. PHI also includes electronic health records, recorded phone calls, emails, text messages, digital invoices, and video recordings. All of the HIPAA rules for PHI apply to ePHI.
What Information is Considered PHI?
Information that is considered PHI is any Personal Identifying Information (PII) that, separately or combined with other data elements, could allow a particular person or their healthcare status in the past, present, or future to be identified. PII that, when paired with health information, becomes PHI, includes the following.
- Telephone numbers
- Fax numbers
- Geographic data
- Social security numbers
- Full-face photos and other images with identifying characteristics
- Elements of dates related to an individual (e.g., birth date, appointment date, admission date)
All Medical Records (e.g., general, dental, and mental health)
- Account numbers
- Health plan beneficiary numbers
- Medical record numbers
- Biometric identifiers (e.g., fingerprint, voiceprint, retinal imaging)
- Scans from imaging machines (e.g., x-ray, MRI, ultrasound)
- Test results (e.g., COVID screening, blood tests, drug tests)
- Device identifiers and serial numbers
- Internet protocol (IP) addresses
- Web URLs
- Billing records
- Certificate / license numbers
- Data recorded and transmitted using wearables
- Insurance information
- Vehicle identifiers and serial numbers
- Any unique identifying number, characteristic, or code
What PHI Does Not Include
A few examples of data that are not considered PHI include:
- Accounting records
- Employee information
- Education records
- Blood sugar readings without PII (e.g., account, user name)
- Heart rate readings without PII
- Activity-related data captured on a wearable (e.g., number of calories burned, number of steps in a pedometer)
In addition, a personal health record (PHR), which a patient maintains and updates using a service (e.g., Apple Health, Microsoft HealthVault), is not considered PHI. This is because with a PHR, patients oversee and are responsible for data protection. PHR data security can be compared to consumers protecting their credit card numbers or social security number.
PHI and Data Breaches
According to the U.S. Department of Health and Human Services, “The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI).”
There are three exceptions to data breach notification rules.
- 1. Unintentional acquisition, access, or use of PHI by an employee or person acting under the authority of a covered entity or business associate
- 2. Inadvertent disclosure of PHI by a person (with authorized access to PHI at a covered entity or business associate) to another person at the organization (also authorized to access the PHI)
- 3. Covered entity or business associate is confident that the unauthorized person to whom the unauthorized disclosure was made would not have been able to retain the information
Defending PHI from Data Breaches
Part of the HIPAA Security Rule requires that measures be taken to restrict unauthorized access to PHI. Covered entities and business associates must defend against threats to PHI to avoid costly fines and risk losing patients’ trust.
Safeguards to protect PHI include:
- Technical safeguards like strong user password policies, firewalls, encryption, anti-malware software, and user access controls
- Physical safeguards include locking areas where physical records are stored (e.g., file cabinets, storage rooms, desk drawers) and securing buildings from unaccompanied and unauthorized visitors
- Electronic device safeguards include password protection, encryption, and remote wiping or disabling capabilities
- Administrative safeguards include implementing and enforcing policies that limit PHI access to certain people and training about how to protect PHI online and in physical locations
Take Time to Understand PHI and Its Impact
The fundamental objective of HIPAA regulations is to ensure that individuals retain control of their medical data or PHI. The premise is that it should be the individual’s choice regarding who can access their PHI, including providers in the healthcare sector, family members, and employers.
Because individuals need to share their PHI to partake in healthcare services, PHI protection is a priority of the various people and entities that comprise this ecosystem. The PHI protection mandate is clear, and the repercussions of failure are significant, so it is important to take time to understand PHI and associated requirements.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 6th December, 2021