What is considered Protected Health Information under HIPAA?

In order to be HIPAA compliant, organisations must know what is considered Protected Health Information (PHI) under HIPAA. This is essential because anything that does come under the classification of PHI must be adequately safeguarded in accordance with the HIPAA Security and Privacy Rules. The former requires that the confidentiality, integrity, and availability of PHI are guaranteed, whilst the latter requires that the data is not shared or used inappropriately. 

Breaches of HIPAA law can incur large financial or criminal penalties, and ignorance is not a viable defence. Covered entities (CEs; that is, any organisation that must be HIPAA-compliant) must, therefore, be able to identify PHI. HIPAA has several criteria for data to be considered PHI: 

  • The information must relate to the past, current, or future health status of the patient.
  • The information must be individually-identifiable (i.e. contains at least one “identifier”, discussed below).
  • The data must be either created, collected, stored, or transmitted by a covered entity. 
  • The transaction for which it is used must relate to the patient’s healthcare (for example, its provision or payment), or use in healthcare operations.

Regardless of the format of the information (i.e. whether it is verbal, physical or electronic), PHI is protected under HIPAA. Electronic PHI (ePHI) is a specific term used to refer to any PHI that is created, transmitted, or stored electronically. 

HIPAA only protects information pertaining to patients or members of health plans. Any information relating to educational or employment records, even if they are health-related or include individual identifiers, is not considered to be PHI under HIPAA. This includes any information that is held by CEs on their own employees. The information may, however, still be protected under other privacy laws. 

We have mentioned that health information must be “identifiable” for it to be considered PHI. These identifiers are pieces of data that can be linked to a specific individual. There are 18 identifiers, and the presence of any one means that the health information is considered PHI under HIPAA: 

  1. Names (Full or last name and initial)
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers (including serial numbers and license plate numbers)
  13. Device identifiers and serial numbers;
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

If these identifiers are removed (i.e. the information is “de-identified”) it is no longer considered PHI and the HIPPA Privacy Rule no longer applies.  

Sometimes, there is “incidental” exposure of PHI. This may occur if, for example, a physician is invited to discuss a case with another healthcare employee, and they recognize a patient in the waiting room. Usually such incidental exposures cannot be prevented and are limited in scope. 

PHI can be confused with both Personally Identifiable Information (PII) or Individually-Identifiable Health Information (IIHI). PII only exists outside of a healthcare context, whilst IIHI is used within healthcare. PHI and IIHI are equivalent and HIPAA-protected, though PHI is more commonly used. 

If data is considered to be PHI, the CE must safeguard it in a HIPAA-compliant manner. This may include physical (including locked offices), technical (such as firewalls and spam filters), and administrative safeguards (such as ensuring that only authorized individuals have access to the data). All employees should receive training in these protections.