What Is PHI Under HIPAA & What Are The Identifiers Of It?

If you’ve ever been to a doctor’s office or hospital, you’ve probably heard the term “HIPAA”. Terms like HIPAA, PHI, and PII are thrown around, but what do they really mean? More importantly, why should they matter to you? If these questions are whirling in your mind, then you’re at the right place.  In this article, we’ll demystify what PHI is, delve into HIPAA and its role in healthcare, list down the identifiers of PHI, and discuss why it’s essential to protect this information. Let’s get started.

What Is Considered PHI under HIPAA?

PHI, or Protected Health Information, is a key term under HIPAA. But what exactly does it refer to? In the most straightforward terms, we define PHI as any piece of information a HIPAA-covered entity can use to identify a patient or client. This information doesn’t just include obvious data like name and Social Security Number but also details that one might not immediately recognize as identifiable.

So, when it comes to PHI under HIPAA, it’s essential to realize the breadth of information that falls under this category. It covers demographic information, medical histories, test results, insurance information, and other data that a healthcare professional collects to identify an individual and provide healthcare services.

What designates a piece of information as PHI is the fact that a HIPAA-covered entity, or a person or business associate representing the entity, holds or transmits it. Additionally, the information should in some way relate to:

• The individual’s past, present, or future physical or mental health or condition,
• The provision of healthcare to the individual, or,
• The past, present, or future payment for the provision of healthcare to the individual.

What Does PHI Under HIPAA Include?

PHI under HIPAA includes a wide range of information, and it isn’t restricted to just what’s in a patient’s medical records. According to the U.S. Department of Health & Human Services, there are 18 specific identifiers that qualify as PHI. Here’s what those include:

• Names: Full or last name, first name, middle name, or initials.
• All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
  (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
  (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
• Dates directly related to an individual, including birth date, admission date, discharge date, and date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
• Phone numbers
• Fax numbers
• Electronic mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full-face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code, except the unique code assigned by the investigator to code the data

What is not PHI?

Though the realm of Protected Health Information (PHI) under HIPAA is vast, certain categories of data fall outside of its purview. Here’s what doesn’t count as PHI:

• De-identified Information: Information from which all 18 HIPAA identifiers have been removed, rendering it impossible to link the health data to any individual, doesn’t qualify as PHI. This “de-identified” information finds wide application in research, policy planning, and other fields without violating HIPAA.
• Employment Records: If a healthcare provider or health plan maintains records in its capacity as an employer, these records don’t come under PHI. For instance, health data like results from a worker’s compensation claim or a drug test, used for employment decisions, are not PHI.
• Education Records: Education records generally escape the definition of PHI under the Family Educational Rights and Privacy Act (FERPA). This covers records related to student health services provided by a school nurse, provided they are part of the student’s education record.
• Health Data of Non-Healthcare Providers: Health data that a healthcare provider or health plan subject to HIPAA doesn’t create or receive is not PHI. For instance, health data generated by a fitness tracker or personal health record app shared among friends typically don’t qualify as PHI.

What is PHI vs PII?

While both PHI (Protected Health Information) and PII (Personally Identifiable Information) relate to personal data that needs protection, they are not the same and are subject to different regulations.

We define PHI, as per our discussion, as health information linked to a specific individual, with protection under HIPAA. PHI only applies within the healthcare context and specifically refers to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates.

PII, however, is a broader term used across various industries. It represents any information that, by itself or with other details, can identify, contact, or locate a single person, or identify an individual in context. Some examples of PII can include a person’s name, social security number, email address, or phone number.

For example, if you were to fill out a form with your name and address at a retail store, that would be PII. But if you filled out the same form at your doctor’s office, it could be part of your medical record and would then be considered PHI.

So, a key distinction between PHI and PII is the specific regulatory protections each has. HIPAA and other healthcare-specific regulations actively protect PHI, while laws such as the Privacy Act of 1974 or the Gramm-Leach-Bliley Act shield PII, depending on the nature and use of the information.

How To Manage PHI

Here are some strategies and procedures that can help manage PHI effectively:

• Staff  Training: Regular training and awareness sessions should be held for all staff who handle PHI.
• Access Control: Not all staff members need access to all types of PHI. Implement a policy of minimum necessary access, ensuring that each staff member can only access the PHI they need to perform their job.
• Secure Storage: Whether it’s paper records or digital files, secure storage is crucial. For digital data, this may involve using secure servers and encrypting data. You should store physical records in secure areas with controlled access to maintain their safety.
• Data Encryption: When storing or transmitting PHI, you should always encrypt it to enhance its security. This prevents unauthorized access to the data if it falls into the wrong hands.
• Regular Audits: Regular audits can help identify any vulnerabilities in your processes or systems. It can also help ensure that staff are complying with procedures and that those procedures are working as they should.
• Data Backup: Regularly back up PHI to secure, encrypted servers. This ensures that, in the event of a physical disaster or a ransomware attack, you can recover PHI without significant disruption to services.
• Develop a Response Plan: Having a response plan in place can help limit the damage. This plan should outline how to contain the breach, assess the risk, notify affected parties, and review procedures to prevent future breaches.
• Regular Updates and Patches: For digital data, it’s crucial to regularly update and patch your systems.
• Destruction Policies: When no longer needed, securely destroy PHI to ensure its complete and irretrievable elimination. This means using secure shredding services for paper records and certified data destruction services for digital records.

HIPAA Security Rule to Protect PHI

The Security Rule establishes a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of e-PHI.

Here’s a breakdown of how these safeguards function:

• Administrative Safeguards: These are policies and procedures designed to clearly show how the entity will comply with HIPAA. This includes the selection, development, implementation, and maintenance of security measures to protect e-PHI and manage the conduct of the workforce in relation to the protection of that information. Key activities include risk analysis and management, training employees in security awareness, and managing access to e-PHI.
• Physical Safeguards: These involve physical measures, policies, and procedures to protect electronic systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
• Technical Safeguards: These are the technology and the policy and procedures for its use that protect e-PHI and control access to it. And these access control ensures that only authorized personnel can access electronic Protected Health Information (e-PHI). Additionally, audit controls involve using hardware, software, and procedures. And integrity controls to safeguard against the improper alteration or destruction of e-PHI.

Conclusion

In conclusion, it’s clear that understanding PHI in the context of HIPAA is paramount for all healthcare providers and any entity handling health-related data. The standards established by HIPAA serve to protect individuals’ identifiable health information, covering a broad spectrum of identifiers ranging from names to IP addresses.

However, we must remember that not all personal health-related information counts as PHI. There are specific conditions that define what PHI is. Ultimately, the goal is to balance the necessary exchange of information in healthcare with the need to respect and protect patient privacy.

If you are looking to implement any of the Infosec compliance frameworks such as SOC 2 compliance, HIPAA, ISO 27001, and GDPR compliance, Impanix can help. Book a Free consultation call with our experts or email us at  [email protected] for inquiries.