What HIPAA ‘Protected Health Information’?

If you are employed in the healthcare sector or are thinking about doing business with healthcare clients that requires access to health data, you will need to be aware of what is thought of as protected health information under HIPAA legislation. The HIPAA Security Rule states that safeguards must be adapted to ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places restrictions on the uses and sharing of PHI.

if any of the provisions of the HIPAA Privacy and Security Rules are breached you may be financially sanctioned. There are even criminal penalties in relation to some HIPAA violations. Saying you were unaware of HIPAA law is not a valid defense should a violation take place.

Protected Health Information Definition

Under HIPAA legislation, protected health information is  thought of as individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity regarding the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses).

Health information including diagnoses, treatment information, medical test results, and prescription information are thought of as protected health information under HIPAA, as are national identification numbers and demographic information including birth dates, gender, ethnicity, and contact and emergency contact data. PHI is linked to physical records, while ePHI is any PHI that is established, stored, transmitted, or obtained from a client electronically.

PHI only relates to any information specifically on patients or health plan members. It does not incorporate information contained in educational and employment records, that includes health information managed by a HIPAA covered entity in its capacity as an employer.

PHI is only thought of as PHI when a person could be identified from the information that is accessible or is accessed. If all identifiers are taken away from health data, it is no longer protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.

What is classified as PHI?

PHI is any health information that can be linked to a specific individual, which under HIPAA means protected health information includes one or more of the 18 identifiers listed here. If these identifiers are taken away from the information is considered de-identified protected health information, which is not subject to the limitiations of the HIPAA Privacy Rule.

  1. Names (either full or last name and initial is valid)
  2. Every geographical identifier smaller than a state, aside from the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits includes over 20,000 people; and the initial three digits of a zip code for all such geographic units including 20,000 or fewer people is amended to 000
  3. Dates (other than year) directly linked to a person
  4. Fax contact numbers
  5. Email contact details
  6. Social Security information
  7. Medical record numbers
  8. Health insurance beneficiary identifying numbers
  9. Specific Account numbers
  10. Certificate/license details and data
  11. Specific vehicle identifiers such as serial numbers and license plate numbers)
  12. Identifiers and serial numbers for otehr devices
  13. Web addresses/Web Uniform Resource Locators (URLs)
  14. Internet Protocol (IP) details
  15. All biometric identifiers including finger, retinal and voice prints
  16. Complete face photographic images and any similar images
  17. Every other unique identifying number, characteristic, or code aside from the unique code assigned by the investigator to code the data

HIPAA Protected Health Information: Safeguarding Data

The HIPAA Security Rule states that all covered entities must secure data from reasonably anticipated threats to the security of PHI.  Covered entities must adapt safeguards to ensure the confidentiality, integrity, and availability of PHI, although HIPAA is not technology specific and the exact security measures that should be adapted are left to the discretion of the covered entity.

HIPAA necessitates physical, technical, and administrative safeguards to be established. Technologies such as encryption software and firewalls are taken into account under technical safeguards. Physical safeguards and security measures for PHI data include keeping physical records and electronic devices holding PHI under lock and key. Administrative and management safeguards include access controls to limit who can view PHI information and security awareness guidance.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes