What does PHI stand for?

The question what does PHI stand for is usually answered by a reference to the Health Insurance Portability and Accountability Act (HIPAA). However, the acronym PHI – which stands for Protected Health Information – does not appear in HIPAA in neither its short form nor long form.

In fact – in the context of HIPAA – the first references to PHI were not made until some years later, when the proposed Privacy Rule was published. The proposed Privacy Rule interchangeably used the terms “Protected Health Information” and “Individually Identifiable Health Information”, and the definition of PHI eventually settled as the protection of individually identifiable health information.

Covered Entities and Business Associates subject to the HIPAA regulations must implement reasonable and appropriate measures to safeguard the privacy of PHI and ensure it is not disclosed without authorization (from an individual) other than for disclosures permitted by the HIPAA Privacy Rule. This also applies to the subset of electronic PHI (ePHI) covered by the HIPAA Security Rule.

What Information is Protected by the HIPAA Privacy Rule

The Department for Health and Human Services (HHS – the agency that enforces HIPAA Via its Office for Civil Rights) does not elaborate on what specific information is protected by the HIPAA Privacy Rule. Instead, it relies on Covered Entities and Business Associates to assess what information should be protected if it relates to:

  • An individual´s past, present, or future physical or mental health or condition,
  • The provision of health care to the individual, or
  • The past, present, or future payment for the provision of healthcare to the individual.

HHS does state that individually identifiable health information should be protected “when there is a reasonable basis it can be used to identify the individual”; but, beyond suggesting identifiers such as name, address, birth date, and Social Security number – and noting that this information should be protected in electronic, paper, and oral formats, HHS doesn´t offer specific guidance.

Consequently, compliance experts have suggested that the eighteen identifiers listed in the safe harbor de-identification standard ((§164.514) should be used as guide. This standard not only applies to identifiers that can identify an individual, but also those that can identify a relative, employer, or household member when the identifiers are maintained in the same record set:

  1. Names
  2. All geographic subdivisions smaller than a State
  3. All elements of dates (except year) for dates directly related to an individual.
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail (email) addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

The Disclosures of PHI Permitted by the HIPAA Privacy Rule

There are three types of disclosures permitted by the HIPAA Privacy Rule – required, permitted, and requiring authorization. Required disclosures are those required when an individual exercises their rights to access, correct or transfer PHI, or request an accounting of disclosures. Covered Entities are also required to disclose PHI to inspectors from the Office of Civil Rights during an audit or review.

Permitted disclosures of PHI include disclosures for treatment, payment, or health care operations, and when a disclosure is for public health or benefit activities. Public health or benefit activities can include disclosures to law enforcement, reports of neglect or abuse, to comply with workers´ compensation laws, or when the disclosure is in response to a subpoena or other lawful process.

All other disclosures of PHI require authorization from the patient. In most circumstances, a written authorization must be obtained, documented, and retained. However, the Privacy Rule allows for informal consent for uses such as inclusion in a hospital directory, or – if a patient is unable to give their informal consent – a Covered Entity can use their professional judgement to assume consent if the use or disclosure of PHI is considered to be in the best interests of the patient.

The Importance of Understanding What Does PHI Stand For

The reason why it is important to understand what does PHI stand for is that a “Minimum Necessary Standard” exists in the Privacy Rule. This Standard stipulates that only the minimum amount of PHI needed to accomplish the intended purpose should be disclosed. The failure to comply with this Standard is one of the most common reasons for patient complaints to HHS´ Office for Civil Rights.

Subsequent to receiving a patient complaint, the HHS´ Office for Civil Rights will investigate and may require the Covered Entity to review its policies and procedures or comply with a corrective action plan. In extreme cases where the Covered Entity is a repeating offender who has failed to correct previous violations, the HHS´ Office for Civil Rights can impose a civil monetary penalty.

Although in most cases, Covered Entities will not be fined for violations of the Minimum Necessary Standard, reviewing policies and procedures (and retraining workforces subsequent to a material change) and complying with a corrective action plan incurs indirect costs and disrupts operations. For this reason, it is important to train workforces on what does PHI stand for and when its use or disclosure is permitted under the HIPAA Privacy Rule.