PHI is a term commonly used in relation to health data, but what is PHI defined as and what information is given with the definition of PHI?
What is PHI Defined as?
PHI is an abbreviation of Protected Health Information. The term is usually referred to in the Health Insurance Portability and Accountability Act (HIPAA) and associated legislation including the Health Information Technology for Economic and Clinical Health Act (HITECH), and refers to any data regarding a patient, a patient´s healthcare or the payment for that healthcare that is created, received, stored, or sent by HIPAA-covered groups.
HIPAA-covered groups are mostly healthcare providers, health plans, healthcare clearinghouses and their business associates or third-party service suppliers who have access to Protected Health Information. These groups must implement measures to protect against the unauthorized disclosure, amendment or deletion of Protected Health Information as stipulated by the HIPAA Privacy Rule.
The Department of Health & Human Services´ Office for Civil Rights (OCR) has defined PHI as any Personal Identifying Information that – individually or together – could possibly identify a specific individual, their past, present or future healthcare, or the method of payment. PHI does not incorporate information contained in education records and neither information that is maintained by healthcare groups in their capacity as an employer.
Overall, there are 18 unique identifiers thought of as PHI:
- Names & Identity
- Geographic & location data
- All elements of dates
- Telephone contact details
- FAX contact details
- Email address information
- Social Security data
- Medical record identifiers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license information
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Website addresses
- IP address details
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Full face pictures and comparable images
- All unique identifying number, characteristic or code
PHI is no long PHI when it is stripped of all 18 unique identifiers for marketing or research purposes. Regardless, the data is still thought of as “protected” under the 1981 Common Rule – an Act of Congress that states the baseline standard of ethics under which any government-funded research in the US is stored. Nearly all U.S. academic institutions hold their researchers to this standard of ethics regardless of how they are financed.
The Variance Between PHI and ePHI
ePHI is an abbreviation of electronic Protected Health Information and related to any PHI that is created, received, saved, or transmitted electronically by HIPAA-covered groups. Due to the ease with which electronically-stored data can be obtained and shared, ePHI is subject to the HIPAA Security Rule as well as the HIPAA Privacy Rule. It is also subject to the HITECH ACT when a healthcare supplier take part in the Meaningful Use program.
The Security Rule primarily is made up of physical, technical and administrative security measures to stop unauthorized access and disclosure of ePHI. These safeguards should be carefully studied by HIPAA-covered groups, as the fines for a breach of the HIPAA Security Rule can be significant – in some instances even when there has been no authorized access to – or disclosure of – PHI.
What Does PHI Mean in Relation to Medical Treatment?
In HIPAA, PHI refers to protected health information, but the term PHI is also usually used to refer to patient health information or personal health information – any health information that is included in a medical record that relates to an individual that has been created, received, used, or is managed by a HIPAA-covered entity for the purposes of providing healthcare services or payment for healthcare services.
PHI may also be implemented to refer to private health insurance, permanent health insurance, public health informatics, a public health institute, and in medicine, the enzyme phosphoexose Isomerase.