Protected health information (PHI) refers to data collected by healthcare professionals during medical visits. This information is used to identify the individual, diagnose them and make decisions on care. Alternatively, PHI can also stand for personal health information, but the definition remains the same.
What Are 5 Examples of PHI?
Any of the below pieces of information accompanied by health data is considered PHI.
- Name
- Address
- Dates related to an individual (birthdate, admission date, discharge date, death date and more)
- Phone numbers
- Social security number
Why Is PHI Important?
PHI is an essential concept due to the sensitivity of information classified as such. The types of data considered PHI include patient demographics (like age, gender, race and marital status), medical history of the patient and their family, test results, insurance information, current diagnoses and any additional information collected throughout a consultation or appointment.
If not adequately protected, this information can be improperly disclosed, putting the privacy of the patient’s health information at risk. For this reason, laws and regulations exist globally to ensure organizations that collect, process and store PHI do so in a way that protects the confidentiality, integrity and availability of the data.
How Is PHI Regulated and Protected?
Many laws and regulations exist globally to ensure the protection of PHI. Because an individual’s PHI may be processed or accessed by numerous people or systems at any given time, regulations that define appropriate levels of protection and enforce penalties for non-compliance are imperative to secure this data once it’s out of the individual’s control. While there are no shortage of privacy laws developed to protect PHI, two commonly known ones are HIPAA and GDPR.
HIPAA
In the United States, PHI is regulated and protected by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA defines privacy and security requirements for the collection, storage and sharing of PHI. These requirements include physical, administrative and technical controls to ensure PHI’s confidentiality and security.
An organization that collects and processes PHI may employ controlled physical access to areas where paper patient files are stored, publish a policy that defines expectations for PHI handling and implement standard levels of encryption for electronically processed PHI. These safeguards can be used to address physical, administrative and technical control requirements respectively.
It’s also worth mentioning that not all health information qualifies as PHI because HIPAA only applies to specific healthcare organizations and their business associates. This means healthcare data in employment records and education records aren’t covered by HIPAA, nor are de-identified health data or data collected by wearable technology.
GDPR
Another well-known regulation that exists to protect PHI is the European Union (EU) GDPR, which stands for General Data Protection Regulation. GDPR applies to all personal information of EU citizens, including PHI, and is based on seven key principles:
- Lawfulness, fairness and transparency: Collect information for good reason and be open with the individual regarding what is being collected and why.
- Purpose limitation: Use the data only for the specified reason(s) it was collected.
- Data minimization: Limit collection to only what’s required and nothing more.
- Accuracy: Ensure the correctness of the data collected and update it as necessary.
- Storage limitation: Follow the defined data retention periods to ensure data is only kept as long as it’s required.
- Integrity and confidentiality (security): Maintain the security of the data collected by proactively protecting it from unauthorized access or use.
- Accountability: Maintain records that show proof of compliance with GDPR rules.
What Is Considered PHI in HIPAA?
In the U.S., not all health information is considered PHI, so it’s important that forms and documents are categorized properly. As you may imagine, it’s essential for information processors to correctly identify what is PHI while also avoiding scenarios where information is improperly categorized as PHI.
To aid in determining what information is and isn’t considered PHI, HIPAA defines 18 identifiers that indicate PHI when accompanied by health information.
PHI According to HIPAA
- Name
- Address (all geographic divisions smaller than a state)
- Dates related to an individual (birthdate, admission date, discharge date, death date, etc.)
- Phone numbers
- Fax numbers
- Email address
- Social security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photo (not limited to images of the face)
- Any other characteristic that could uniquely identify the individual
PHI and Healthcare Apps
Compliance with privacy laws and regulations isn’t only the concern of those handling the data, it also must be considered by those configuring the technology systems and applications that process PHI. Today, there are many applications used to collect, record and process medical data so it’s important that application developers understand how that impacts their work.
In terms of HIPAA, there are two aspects to consider to determine whether the app you’re developing may require compliance with HIPAA regulations:
- Will the app user be a covered entity (a healthcare organization or business associate)?
- Is the information that will be processed by the app considered PHI?
If the answer to both of those questions is yes, the application will likely need to comply with HIPAA. This means the application will need to be developed with appropriate physical, administrative and technical security controls in mind. Prior to beginning development, it’s important to spend time understanding how HIPAA requirements will impact the application design.
The development team must identify the required security controls, such as secure physical access to the back-end server and network infrastructure on which the app will be built. Developers also need to define standards for the data collection levels and storage time periods.
Finally, the team must also understand the types of administrative and technical controls that are relevant to HIPAA compliance, like incorporating click-through acceptable use, privacy or confidentiality agreements, utilizing secure authentication and data encryption methods, and implementing proper data retention
PHI vs. Non-PHI
Sometimes it can be difficult to understand whether a piece of information is or isn’t PHI. As healthcare technology has advanced, PHI is not only kept in medical records at a doctor’s office, but can traverse information systems via electronic health systems like MyChart. It’s important for both consumers and medical professionals to understand what is and isn’t PHI so both parties can validate the security and privacy of the data.
Examples of health data that is PHI:
- Scans of the body like CT, MRI and X-Ray
- Blood test and lab results
- Billing information from a medical office
- Mail, both physical and electronic, regarding prescriptions
- Heart rate readings accompanied by identifying information (name, account number and more)
- Blood sugar readings accompanied by identifying information
Examples of health data that is not PHI:
- Data collected by digital monitors, like calories burned or steps taken
- Heart rate readings without identifying information
- Blood sugar readings without identifying information
- Health information that has been de-identified and cannot be linked to an individual, such as lists of prescription medications that do not define a patient to whom they are prescribed