What is PHI?

The term PHI a reference that normally refers to healthcare data, but what does PHI refer to, and what data is the subject of the definition of PHI?

What Does PHI refer to?

PHI is an abbreviation of Protected Health Information. The term is used a lot in the Health Insurance Portability and Accountability Act (HIPAA) and associated legislation such as the Health Information Technology for Economic and Clinical Health Act (HITECH), and refers to any data linked to a patient, a patient’s healthcare or the payment for that healthcare that is created, received, stored, or transmitted by HIPAA-covered groups.

HIPAA-covered entities are usually healthcare suppliers, health plans, healthcare clearinghouses and their business associates or third-party service providers who have access to Protected Health Information. These organizations must deploy steps to safeguard against the unauthorized sharing, amendment or destruction of Protected Health Information as stipulated by the HIPAA Privacy Rule.

The Department of Health & Human Services´ Office for Civil Rights has classified PHI as any Personal Identifying Information that – individually or linked together – could possibly identify a specific individual, their past, present or future healthcare, or the type of payment. PHI does not include information placed  in educational records and neither information that is maintained by healthcare organizations in their role as an employer.

Overall there are 18 different unique identifiers considered to be PHI:

PHI is no longer thought of as PHI when all eighteen unique identifiers are taken away for marketing or research purposes. Nonetheless, the data is still considered “protected” under the 1981 Common Rule – an Act of Congress that stipulates the baseline standard of ethics under which any government-funded studies in the US is held. Nearly all U.S. academic institutions hold their researchers to this standard of ethics despite funding.

The Difference Between PHI and ePHI

ePHI is an acronym of electronic Protected Health Information and linked to any PHI that is created, received, stored, or transmitted electronically by HIPAA-covered groups. Due to the ease with which electronically-stored data can be accessed and sent to other parties, ePHI is subject to the HIPAA Security Rule as well as the HIPAA Privacy Rule. It is also subject to the HITECH ACT when a healthcare provider is part of the Meaningful Use program.

The Security Rule mainly includes physical, technical and administrative safeguards to prevent unauthorized access and disclosure of ePHI. These security measures should be carefully considered by HIPAA-covered entities, as the fines for a breach of the HIPAA Security Rule can be significant – in some cases even when there has been no authorized access to – or sharing of – PHI.

What is PHI in Medical Terms?

In HIPAA legislation, PHI stands for protected health information, but the term PHI is also often used in reference to patient health information or personal health information – any health information that is included in a medical file that relates to an individual that has been created, received, used, or is maintained by a HIPAA-covered entity for the purposes of providing healthcare services or payment for healthcare services.

PHI be a reference to private health insurance, permanent health insurance, public health informatics, a public health institute, and in medicinal terms, the enzyme phosphoexose Isomerase.