HIPAA PHI

It may surprise some people to learn that, in the original 1996 text of HIPAA, PHI is not mentioned either in its long form (Protected Health Information) or in its abbreviated form (PHI). In fact, it was not until the publication of the proposed Privacy Rule in 1999 that the term Protected Health Information first appeared in HIPAA.

Subsequent to its first appearance in 1999, the definition of HIPAA PHI has undergone several changes before arriving at the definition known today. Consequently, it is not surprising that some in the healthcare and health insurance industries do not have a clear understanding of what is PHI, what it consists of, and how it can be used or disclosed.

Misunderstandings about HIPAA PHI can result in inadvertent violations of HIPAA for which penalties may apply; and, therefore, one of the best ways to avoid HIPAA violation penalties is to ensure that all members of the workforce are trained beyond the HIPAA training requirements to ensure they have a current and accurate understanding of HIPAA PHI.

As well as there being no mention of PHI in the text of HIPAA, there are no privacy or security standards. Among the few references to health information, the Secretary for Health & Human Services is instructed to develop "Security Standards for Health Information" (pages 91-92) and make "Recommendations with Respect to Privacy of Certain Health Information". (pages 99-100).

These instructions evolved respectively into the “Security Standards for the Protection of Electronic Protected Health Information” (the HIPAA Security Rule) and the “Privacy of Individually Identifiable Health Information” (the HIPAA Privacy Rule); and one of the reasons for early misunderstandings of HIPAA PHI was that the definition of PHI originally only appeared in the Security Rule.

Although the definition of PHI was subsequently moved from §164.501 to §164.103 in order to apply to all the Administrative Simplification provisions, further changes to the definition of HIPAA PHI occurred as HIPAA law evolved. You can read more about these changes and the impact they had on HIPAA compliance in this article about the evolution of HIPAA law.

The eighteen identifiers considered to be PHI - listed in the HIPAA PHI FAQs section below - are derived from the “safe harbor” standard for the de-identification of PHI (§164.514). This standard not only applies to identifiers that could identify an individual, but also identifiers that could identify a relative, employer, household member when the identifiers are maintained in the same record set.

Therefore, examples of PHI not only include the name and address of a patient, but also the telephone number of their employer or the license plate number of a partner´s car if the data is maintained in the same record set. Further examples of PHI include images of family members maintained in a data set when there is a reasonable basis to believe the images could be used to identify the individual who is the subject of the data set.

It is also important to note that some health information is not considered to be HIPAA PHI in certain circumstances. For example, a data set of vital signs does not constitute Protected Health Information by itself. However, if the vital signs data set includes names, or identifiers such as medical record numbers, then the entire data set is considered PHI and must be protected since it contains one or more identifier.

Understanding what PHI stands for, what it consists of, and how it can be used or disclosed is important for Covered Entities and Business Associates subject to the Privacy, Security, and Breach Notification Rules because – as mentioned above - misunderstandings about HIPAA PHI can result in inadvertent violations of HIPAA for which penalties may apply.

According to data from the Department of Health & Human Services (HHS), misunderstandings of the HIPAA Privacy Rules are the most common issues investigated by the HHS´ Office for Civil Rights – the top three complaints to the HHS´ Office for Civil Rights being:

Required, permitted, and authorized uses and disclosures of HIPAA PHI are discussed in this HIPAA Privacy Rules article, while patients´ rights under HIPAA are discussed below. It is important to note that the issue relating to the lack of safeguards to protect PHI does not refer to Security Rule safeguards, but rather the “appropriate administrative, technical, and physical safeguards to protect the privacy of PHI” required under the Administrative Requirements of the Privacy Rule (§164.530).

When HHS´ Office for Civil Rights takes enforcement action against a Covered Entity or Business Associate, it is more often in the form of technical assistance or a corrective action plan. However, in recent years, more fines have been issued for the failure to comply with patients´ rights under HIPAA than for any other category of HIPAA violation.

Consequently, it is important to understand what patients´ rights under HIPAA are, how patients should be informed of their rights, and train members of the workforce on how to deal with events such as requests for access in order to avoid HIPAA violation penalties. It is equally important to understand the circumstances in which patients´ rights under HIPAA do not apply.

One frequently overlooked area of patients´ rights under HIPAA is the requirement for Business Associates to also comply with this area of the Privacy Rule when – for example – an individual requests access to PHI or the correction of PHI, or when a disclosure of PHI is made beyond the terms of a Business Associate Agreement (i.e., to a public health or law enforcement agency).

As HIPAA related to more than just the privacy of individually identifiable health information, a “General Penalty for Failure to Comply with Requirements and Standards” was included in the Act. The General Penalty scale was adopted for HIPAA violation penalties when the Enforcement Rule was published in 2006; but, due to the modest civil monetary penalties that could be imposed by the HHS´ Office for Civil Rights (up to $100 per violation, capped at $25,000 per year), the cost of complying with HIPAA was often more than the amount of a fine for non-compliance.

To dissuade Covered Entities from ignoring their HIPAA obligations, a new four-tier penalty scale was introduced via the HITECH Act which increased the HIPAA violation penalties that could be imposed by HHS´ Office for Civil Rights to a maximum of $1.5 million per year. The civil monetary penalties have subsequently been adjusted for inflation, and the current minimum and maximum amounts (as of July 2022) can be found in this article about HIPAA violation penalties.

In addition to the civil monetary penalties that can be imposed by HHS´ Office for Civil Rights, the Department of Justice can also pursue criminal proceedings against Covered Entities and Business Associates if a breach of unsecured HIPAA PHI is attributable to an entity or individual knowingly taking PHI under false pretenses for personal gain. State Attorneys General also have the authority to pursue HIPAA violation penalties for breaches of unsecured PHI impacting residents of their state.

One of the most effective ways to avoid violations of HIPAA is to ensure all members of the workforce are trained on the requirements for safeguarding HIPAA PHI. It is important to note that “members of the workforce” not only includes paid employees, but also volunteers, students, and/or other persons who are under the direct control of the Covered Entity or Business Associate whether they are paid by the Covered Entity or Business Associate or not.

There are different training requirements stipulated by HIPAA for Covered Entities and Business Associates inasmuch as Covered Entities are required to provide training on policies and procedures with respect to PHI “as necessary and appropriate for the members of the workforce to carry out their functions”, while both Covered Entities and Business Associates are required to implement a training and security awareness program “for all members of the workforce including management”.

The training requirements mandated by HIPAA are the bare minimum that should be provided to members of the workforce. It may sometimes be the case that a worker in a healthcare facility is exposed to PHI outside of their functions, while Business Associates are required to comply with elements of the Privacy and Breach Notification Rules that are not covered in security and awareness training. This article on the HIPAA training requirementsrecommends additional training modules that can help Covered Entities and Business Associates avoid HIPAA violations attributable to a lack of training.

PHI stands for Protected Health Information – individually identifiable health information that must be safeguard from impermissible uses and disclosures by HIPAA Covered Entities (health plans, healthcare clearinghouses, and most healthcare providers) and Business Associates who provide a service for or on behalf of a Covered Entity.

Strictly speaking, PHI is any individually identifiable health information that could be used to identify an individual or which there is a reasonable basis to believe could be used to identify an individual. To help clarify this definition, compliance experts use the eighteen identifiers listed in the “safe harbor” standard for de-identifying PHI to explain what is considered PHI. The eighteen identifiers are:

In the original proposed Privacy Rule of 1999, PHI was referred to as “Covered Information” and the required safeguards only applied to individually identifiable health information “that is or has been electronically transmitted or maintained by a Covered Entity”. This would have meant that PHI maintained on paper or transmitted orally was not subject to the Privacy Rule – a situation that was corrected when the first Final Privacy Rule was published in 2000.

Since then, the definition of HIPAA PHI has been moved from Part 164 of the Code of Federal Regulations to Part 160 (so it covers all the Administrative Simplification provisions of HIPAA), and expanded so it applies to all individually identifiable health information created, maintained, or transmitted in respect of “past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual”.

In 2013, the definition of HIPAA PHI was again amended to account for the requirements of the Genetic Information Non-discrimination Act of 2008 (GINA); and then, in 2016, HHS authorized qualifying Covered Entities to disclose PHI without patient authorization when required to comply with the National Instant Criminal Background Check System. Subsequent Privacy Rule amendments attributable to the Cares Act and 21^st Century Cures Act have also changed the rules relating to disclosures, but not the definition of HIPAA PHI.

The HIPAA training requirements for Covered Entities stipulate “a Covered Entity must train all members of its workforce on the policies and procedures with respect to PHI required by this subpart and subpart D [the Privacy and Breach Notification Rules], as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

This implies that HIPAA training only has to be provided to members of the workforce whose functions involve uses and disclosures of PHI. Consequently, members of the workforce whose functions do not involve uses and disclosures of PHI (cleaners, maintenance, stores, marketing, etc.) might never receive HIPAA training, despite the fact they may recognize people entering and leaving a hospital and share that information on social media in violation of the HIPAA Privacy Rule.

Patients have the right under HIPAA to request access to PHI maintained in a “designated record set” – a group of records maintained for on behalf of a Covered Entity that is used to make decisions about individuals´ entitlement to healthcare or the provision of healthcare. For example, in health plan and healthcare environments, designated record sets usually include all the information required to make decisions about enrollment, payment, claims, and medical management.

The right of access does not apply to any individually identifiable health information not included in a designated record set – even though it may still be considered to be HIPAA PHI (if it can be used to identify an individual) and therefore subject to the HIPAA Privacy Rules. The Privacy Rules also exempt psychotherapy notes, information compiled for legal proceedings, and data held by certain laboratories from the right of access provision. Covered Entities can also deny a right of access request when it is believed access could cause harm to the individual or to another person.