Any health information that that can be identified to an individual and that is used, stored, transmitted or maintained by a covered entity (CE) is considered to be Private Health Information (PHI). CEs are bodies that are required to be HIPAA compliant, and include healthcare providers, health insurers or healthcare clearinghouses. Business Associates (BAs) of these organisations must also be HIPAA-compliant, and therefore act to safeguard PHI.
Regardless of the form – whether it be physical files, electronic records or verbal communications – PHI must be protected in accordance with the HIPAA rules. This is irrespective of the age of the data – PHI can be historical, current, and any future data relating to the patient (such as treatment plans or prognoses) is protected. As well as information relating directly to the physical and mental health of the patient, PHI can include the individual’s family history and medical bills. Any information that can all be linked back to an individual by “HIPAA Identifiers”, pieces of data that – if it is included in medical records – mean that information counts as PHI.
The HIPAA Identifiers are as follows:
- Names (forename, middle names, surnames, married names etc.)
- Dates, except years
- Telephone numbers
- Geographic data
- FAX numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Any unique identifying number or code
The presence of one of these identifiers is sufficient to turn data into PHI, meaning that it must be protected by HIPAA. The HIPAA Privacy Rule will then govern how the data is used and to whom it may be disclosed, whilst the Security Rule will lay out rules for ensuring how the PHI is stored, transmitted, and made available.
Perhaps surprisingly, there are exceptions to HIPAA’s definition of PHI. The primary reason why health data may not be protected under PHI is that it is not collected by a CE or BA. Personal health trackers prove a prime example. Such devices are increasingly popular, allowing individuals to monitor their own health outside of traditional healthcare settings. The devices provide tools ranging from step counts to sleep monitoring and contain enough identifiers that it would certainly count as PHI if recorded by a traditional healthcare provider. Crucially, however, it is not. Unless the service provider has entered a business agreement with a HIPAA CE or their BA, the data collected on these devices is not considered PHI and therefore is not protected by HIPAA.
HIPAA does not apply to employment or education records, so any data that companies or educational institutes may have relating to the health needs of their employees (allergy requirements, for instance) is not protected under HIPAA. Information used when making healthcare appointments is also not considered PHI; even though details such as names or phone numbers can clearly be associated with individuals, they are not associated with any health data at the time of making the appointment.
Finally, data can was once considered PHI can be relegated to non-PHI if all identifiers are removed from the record. This process of “anonymization” means that the data cannot be traced back to an individual and the de-identified PHI is no longer protected under HIPAA.
There is some confusion regarding the distinction between PHI and electronic PHI (ePHI). The latter term is specific to any patient information that is created, transmitted, used or stored electronically. Both types of data are protected by HIPAA’s Privacy Rule, though the Security Rule mainly relates to ePHI.
HIPAA does not prevent PHI from being disclosed to other medical professionals when it pertains to their treatment. However, it should be done in a private setting and the disclosing party should adhere to the Minimum Necessary Standard and only discuss information directly related to the patient’s care.
In most circumstances, patients must consent for their PHI to be shared with their employers, though this can depend on the nature of the transaction.