In the context of the Health Insurance Portability and Accountability Act (HIPAA), PHI is an acronym for Protected Health Information – defined by the Privacy Rule as individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium – including written and oral.
However, not all individually identifiable health information is PHI. Health information is only protected if it relates to:
- An individual´s past, present, or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual.
Furthermore, the only organizations required to protect individually identifiable health information are health plans, healthcare clearing houses, and healthcare providers that transmit PHI in electronic form in connection with a transaction covered by the “HIPAA Transactions and Code Sets Standard”. These organizations are collectively known as HIPAA Covered Entities.
Additionally, Business Associates of Covered Entities are required to protect individually identifiable health information, provide this is stipulated in a Business Associate Agreement between the Covered Entity and Business Associate. If there is no Business Associate Agreement in place, or if an organization maintaining health information is not a Covered Entity, the Privacy Rule does not apply.
So, what is PHI?
Subject to the above conditions being met, health information should be protected if it consists of one of the following identifiers which – individually or together – could identify an individual or which there is a reasonable basis to believe could be used to identify an individual:
- Geographic data (smaller than a state)
- Dates (except year) directly related to an individual
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet Protocol (IP) addresses
- Biometric identifiers (i.e., fingerprints, retinal scans, etc.)
- Full face photographs and comparable images
- Any unique identifying number, characteristic, or code
It is important to note that PHI must be protected however it is created, maintained, or transmitted. Therefore, a screenshot of an individual´s home address should be protected in the same way as a paper form on which the individual has written their home address, or an electronic record maintained in a password-protected database.
Required, Permitted, and Authorized Uses and Disclosures
Under the Privacy Rule, there are specific times when uses and disclosures are either required, permitted, or require the authorization of the individual who is the subject of the PHI (or their personal representative).
There are only two scenarios in which the disclosure of PHI is required – when access to PHI or an accounting of disclosures is requested by an individual and when the HHS is undertaking a compliance investigation, review, or enforcement action.
Uses and disclosures of PHI are permitted, but not required, for treatment, payment, and health care operations, and for public health and benefit activities – such as controlling disease, reporting child abuse, and complying with law enforcement activities.
All other uses and disclosures of PHI must be authorized by the individual – although there are some scenarios in which informal permission rather than express written authorization is sufficient – for example, to allow a pharmacist to dispense filled prescriptions to a person acting on behalf of a patient.
PHI and the Minimum Necessary Standard
For all permitted disclosures, a “Minimum Necessary Standard” applies. This standard stipulates that Covered Entities (and Business Associates where applicable) must only disclose the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure.
This means that, when the minimum necessary standard applies, a Covered Entity may not use, disclose, or request an individual´s entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.
To avoid unintentional violations of HIPAA attributable to disclosing more than the minimum necessary, Covered Entities and Business Associates must develop and policies to limit permitted uses and disclosures to the minimum necessary, train members of the workforce on the HIPAA disclosure rules, and advise them of the sanctions for failing to comply with the policies and procedures.