Entities working in the healthcare industry need access to protected health information (PHI), which is why they need to know what the HIPAA law considers as PHI. PHI confidentiality, integrity and availability are safeguarded by the HIPAA Security Rule, while PHI uses and disclosure are limited by the HIPAA Privacy Rule. If an entity violates the HIPAA regulations, it could be financially and even criminally penalized. Not knowing the HIPAA law is not a valid excuse.
Protected health information refers to individually identifiable information that is related to a person’s health status. It could be created, collected or transmitted by a HIPAA-covered entity during the provision of healthcare or payment for healthcare services. Information that is considered PHI include the following:
- Health information such as medical test results, diagnoses, treatment information and prescription details
- National identification numbers such as Social Security numbers and driver’s license numbers
- Demographic information such as gender, birth dates, ethnicity, contact information
When saying PHI, it refers to physical health records. ePHI refers to health information that is created, received, transmitted or stored electronically. PHI is used only in relation to patient or health plan member information. Educational and employment records information is not included. PHI is only considered PHI if the information could identify a person. If health data is stripped of any identifier, it is no longer considered PHI. The HIPAA Privacy rule no longer apply and data uses or disclosures are not restricted.
PHI includes the following identifiers. Without these identifiers, the health information becomes de-identified PHI.
- Full name or last name and initial
- All geographical information smaller than a state, except for the initial three digits of a zip code if, based on the current publicly available information from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (not just the year) directly associated to a person
- Email addresses
- Phone Numbers
- Fax numbers
- Social Security numbers
- Health insurance beneficiary numbers
- Medical record numbers
- Account numbers
- Certificate/license numbers
- Device identifiers and serial numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Internet Protocol (IP) address numbers
- Web Uniform Resource Locators (URLs)
- Full face photographic images and any comparable images
- Biometric identifiers, such as finger, retinal and voice prints
- Any unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
According to the HIPAA Security Rule, covered entities must protect PHI from reasonably anticipated threats. Physical, technical and administrative safeguards that ensure the confidentiality, integrity, and availability of PHI must be in place. The HIPAA does not dictate specific safeguards that should be implemented. Covered entities can decide what to implement. Technological safeguards may be in the form of encryption software and firewalls. Physical safeguards include locked storage for physical records and electronic devices. Administrative safeguards may include PHI access controls that restrict who can access PHI and conducting security awareness training for employees.