What does PHI stand for?

Q: What is the difference between Protected Health Information and Personally Identifiable Information?

Protected Health Information has a specific meaning under HIPAA. It is any medical information that contains one of 18 HIPAA identifiers and is used in the payment for healthcare or other healthcare-related operations. PHI is a subset of Personally Identifiable Information (PII), which is any sensitive information that can be used to identify an individual. PII becomes PHI if it relates to a patient’s health status, if it is used in healthcare operations, or if it is created, maintained, or transmitted by a Covered Entity.

Q: What is the difference between PHI and ePHI?

Electronic PHI (ePHI) is simply any PHI that has been created, stored, or transmitted electronically. It is subject to the same protections as PHI. ePHI is specifically protected under the HIPAA Security Rule.

Q: What is “anonymization”?

If PHI is stripped of the 18 identifiers that can be used to trace the identity of the patient, it is no longer considered to be PHI.

The question what does PHI stand for is usually answered by a reference to the Health Insurance Portability and Accountability Act (HIPAA). However, the acronym PHI – which stands for Protected Health Information – does not appear in HIPAA in neither its short form nor long form.

In fact – in the context of HIPAA – the first references to PHI were not made until some years later, when the proposed Privacy Rule was published. The proposed Privacy Rule defined “Protected Health Information” as individually identifiable health information transmitted or maintained (by Covered Entities and Business Associates) in any form or medium.

Covered Entities and Business Associates subject to the HIPAA regulations must implement reasonable and appropriate measures to safeguard the privacy of PHI and ensure it is not disclosed without authorization (from an individual) other than for disclosures permitted by the HIPAA Privacy Rule. This also applies to the subset of electronic PHI (ePHI) covered by the HIPAA Security Rule.

What Health Information is Protected by the HIPAA Privacy Rule

The Department for Health and Human Services (HHS – the agency that enforces HIPAA via the Office for Civil Rights) does not elaborate on what specific individually identifiable health information is protected by the Privacy Rule. Instead, it relies on Covered Entities and Business Associates to assess what information should be protected if it relates to:

An individual´s past, present, or future physical or mental health or condition,
The provision of health care to the individual, or
The past, present, or future payment for the provision of healthcare to the individual.

HHS does state that individually identifiable health information should be protected “when there is a reasonable basis it can be used to identify the individual”; but, beyond suggesting identifiers such as name, address, birth date, and Social Security number – and noting that this information should be protected in electronic, paper, and oral formats – HHS doesn´t offer specific guidance.

Consequently, compliance experts have suggested that the eighteen identifiers listed in the safe harbor de-identification standard ((§164.514) should be used as guide. This standard not only applies to identifiers that can identify an individual, but also those that can identify a relative, employer, or household member when the identifiers are maintained in the same “designated record set”:

Names
All geographic subdivisions smaller than a State
All elements of dates (except year) for dates directly related to an individual.
Telephone numbers
Fax numbers
Electronic mail (email) addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code

It is important to note that when these identifiers are not included in a designated record set, they are not protected health information. Additionally, there may also be cases in which other identifiers are maintained in a designated record set that are not included in the above list – for example, details of emotional support animals or social media aliases.

The Disclosures of PHI Permitted by the HIPAA Privacy Rule

There are three types of disclosures permitted by the HIPAA Privacy Rule – required, permitted, and requiring authorization. Required disclosures are those required when an individual exercises their rights to access, correct or transfer PHI, or request an accounting of disclosures. Covered Entities are also required to disclose PHI to inspectors from the Office of Civil Rights during an audit or review.

Permitted disclosures of PHI include disclosures for treatment, payment, or health care operations, and when a disclosure is for public health or benefit activities. Public health or benefit activities can include disclosures to law enforcement, reports of neglect or abuse, to comply with workers´ compensation laws, or when the disclosure is in response to a subpoena or other lawful process.

All other disclosures of PHI require authorization from the patient. In most circumstances, a written authorization must be obtained, documented, and retained. However, the Privacy Rule allows for informal consent for uses such as inclusion in a hospital directory, or – if a patient is unable to give their informal consent – a Covered Entity can use their professional judgement to assume consent if the use or disclosure of PHI is considered to be in the best interests of the patient.

The Importance of Understanding What Does PHI Stand For

The reason why it is important to understand what does PHI stand for is that a “Minimum Necessary Standard” exists in the Privacy Rule. This Standard stipulates that only the minimum amount of PHI needed to accomplish the intended purpose should be disclosed. The failure to comply with this Standard is one of the most common reasons for patient complaints to HHS´ Office for Civil Rights.

Subsequent to receiving a patient complaint, the HHS´ Office for Civil Rights will investigate and may require the Covered Entity to review its policies and procedures or comply with a corrective action plan. In extreme cases where the Covered Entity is a repeating offender who has failed to correct previous violations, the HHS´ Office for Civil Rights can impose a civil monetary penalty.

Although in most cases, Covered Entities will not be fined for violations of the Minimum Necessary Standard, reviewing policies and procedures (and retraining workforces subsequent to a material change) and complying with a corrective action plan incurs indirect costs and disrupts operations. For this reason, it is important to train workforces on what does PHI stand for and when its use or disclosure is permitted under the HIPAA Privacy Rule.

PHI: FAQ

What is the difference between Protected Health Information and Personally Identifiable Information?

Protected Health Information is individually identifiable health information and any accompanying identifiers maintained in the same designated record set. Personally Identifiable Information is an identifier that could be used to identify the subject of the PHI when it is maintained in a designated record set. If it is not maintained in a designated record set, PII is not protected by HIPAA – although other federal or state privacy laws may apply.

What is the difference between PHI and ePHI?

Electronic PHI (ePHI) is a subset of PHI. The acronym ePHI is used to describe PHI that has been created, received, stored, or transmitted electronically. ePHI is subject to the same protections as PHI; however additional standards for protecting ePHI from impermissible uses and disclosures exist in the HIPAA Security Rule.

Is “Jane Smith” considered to be PHI?

Yes, even generic names that are shared by thousands of individuals are considered to be PHI if they are maintained in a designated record set. This is because, even if a name is a common name, it can still be used to identify an individual. Additionally, it would be impractical for HIPAA to distinguish between “scales” of identifiability of PHI. The frequency of names changes through time and between different locations, so having different lists and applying different protections would be too difficult.

What is “anonymization”?

If PHI is stripped of all identifiers that can be used to identify the subject of the health information, it is no longer individually identifiable, not considered to be PHI, and not protected by the Privacy and Security Rule standards.

What is considered to be “future” health information?

Future health information can include treatment plans and prognoses. This is considered to be sensitive information as it could be used to discriminate against a patient in terms of their employment prospects, amongst other things.