HIPAA legislation regards PHI as considered any identifiable health information that is used, managed, kept, or is sent by a HIPAA-covered body – a healthcare supplier, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered body, in relation to the provision of healthcare or payment for healthcare products.
It is not only current and former health information that is referred to as PHI under HIPAA Rules, but also future information in relation to medical conditions or physical and mental health related to the supply of care or payment for care. PHI is health information in any guise, including physical records, electronic records, or spoken details.
Due to this, PHI incorporates health records, health records, lab test results, and medical bills. Basically, all health information is thought of as PHI when it includes individual identifiers. Demographic data is also considered PHI under HIPAA Rules, as are many common identifiers such as patient names, Social Security numbers, Driver’s license numbers, insurance information, and birth dates, when they are paired with health information.
The 18 identifiers that combine to make up health information PHI are:
- Dates, apart from year on its own
- Telephone contact details
- Location data
- FAX contact details
- Social Security information
- Medical history numbers
- Account details
- Health plan beneficiary numbers
- Certificate/license details
- Vehicle identifiers and serial numbers incorporating license plates
- Web Addresses and URLs
- Device identifiers and serial numbers
- IP addressses
- Full face photos and comparable pictures
- Biometric identifiers (i.e. retinal scan, record of fingerprints)
- All unique identifying numbers or code
One or more of these identifiers means that health information is PHI and PHI HIPAA Privacy Rule restrictions will then become relevant, which limit uses and disclosures of the information. HIPAA covered bodies and their business associates will also need to ensure appropriate technical, physical, and administrative security measures are in place to ensure the confidentiality, integrity, and availability of PHI, as stated in the HIPAA Security Rule.
When is PHI not Thought of as PHI?
There is a common misunderstanding that all health data is considered PHI under HIPAA, but there are some exceptions.
It depends who gathers the information. A good example would be health trackers – either physical devices worn on the body or applications on mobile phones. These devices can record health data such as heart rate or blood pressure, which would be though of as considered PHI under HIPAA Rules if the information was recorded by a healthcare supplier or was used by a health plan.
However, HIPAA only is relevant for HIPAA-covered bodies and their business associates, so if the device developer or app developer has not been contracted by a HIPAA -covered bodies and is a business associate, the information recorded would not be thought of as PHI under HIPAA.
The same applies to educational or employment histories. A hospital may hold data on its staff, which can include some health information – allergies or blood type for instance – but HIPAA does not apply to employment records, and neither education records.
Under HIPAA PHI is longer to be regarded as PHI if it is stripped of all identifiers that can link the information to a person. If the above identifiers are taken away the health information is referred to as de-identified PHI. For de-identified PHI HIPAA Rules are no longer applicable.