Questions and Answers About PHI

What is PHI?

PHI is a commonly used term in healthcare, but some people do not fully understand what it means. Let’s talk about PHI and a few related terms. What are PHI, PII, and IIHI? PHI, PII and IIHI are acronyms for Protected Health Information, Personally Identifiable Information and Individually Identifiable Health Information, respectively. To fully understand what these acronyms mean, it is necessary to define health information first.

Health information refers to all information gathered when obtaining healthcare or paying for healthcare services at a healthcare provider, healthcare clearninghouse, public health authority, health plan, a school/university or business associate of a HIPAA-covered entity. It includes past, present and future data on the physical or mental health of a person accessing or paying for healthcare services.

PII or IIHI involves health information that identifies a patient. For example, the health diagnosis of asthma becomes PII when it is linked to a specific patient’s information. There must be a reasonable basis why any information is used to identify the patient.

PHI is any individually identifiable health information stored in digital form or electronically transmitted by HIPAA-covered entities or their business associates. PHI may also be maintained and transmitted in different forms including charts, films and paper records. Education and employment records are not included in PHI.

What are examples of PHI considered by HIPAA?

Health records that HIPAA considers as PHI include HER/EMRs, health histories, laboratory test results, diagnoses, treatment details, insurance information and lists of allergies. Other unique identifiers as well as demographic information are also included. All information that are created, used or disclosed by a HIPAA-covered entity when providing healthcare or when the patient pays for services are considered PHI. HIPAA strictly controls the allowable uses and disclosures of PHI.

When Can PHI Be Used and Disclosed Without Obtaining Patient Authorizations?

According to the HIPAA Privacy Rule, HIPAA-covered entities can only use or disclose PHI without first obtaining patient authorization for purposes of treatment and healthcare operations. 45 CFR 164.501 defines treatment and healthcare operations.

Can Patients Obtain Copies of PHI?

Yes. According to the HIPAA Privacy Rule, patients can obtain copies of PHI stored by a covered entity. The patient can simply make a request from the covered entity to provide copies of the PHI. Information that can be obtained include those used by the covered entity when providing treatment, processing payments, making decisions for enrolling patients, or claiming adjudication. In case of health plans, copies include the information in case and medical management record systems.