PHI is an acronym of Protected Health Information – individually identifiable health information transmitted or maintained in a designated record set by a HIPAA Covered Entity or a Business Associate PLUS any information that could be used to identify the subject of the PHI.
To fully appreciate the above explanation of what does PHI stand for in HIPAA, there are a few terms some may need clarification of. For example, what is individually identifiable health information? What is a designated record set? What other information could be used to identify the subject of the PHI and is this information also classified as PHI?
Starting with the first question, the General Administrative Requirements of HIPAA define individually identifiable health information as “Information […] collected from an individual […] that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care; and that identifies the individual or […] can be used to identify the individual.”
Individually identifiable health information is maintained in a designated record set – a group of records that typically includes medical and billing records, that is used in whole or in part to make eligibility, treatment, and payment decisions about the individual. Healthcare providers and health plans can maintain multiple record sets about each patient or plan members, and it is possible for a designated record set to consist of a single item.
More about PHI and Designated Record Sets
All information maintained in a designated record set is subject to the standards of the Privacy and Security Rules. This means if any other information is included in a designated record set that is not health-related, it assumes the same privacy and security protections as if it was health-related. Consequently names, phone numbers, and addresses maintained in a designated record set are classified as PHI, even though they would not be if they were maintained separately.
In terms of what non-health related information could be included in a designated record set, many sources refer to the “18 HIPAA identifiers” in §164.514 that have to be removed before health information is considered anonymized and no longer subject to the standards of the Privacy and Security Rules. However, this list is more than twenty years old and there are now many more ways in which it is possible to identify the subject of a designated record set.
Additionally, it is important to note that any non-health identifiers not included in a designated record set are not PHI. For example, if a hospice maintained a database consisting solely of the names and telephone numbers of patients´ next of kin, the information in the database is not PHI under HIPAA because it does not contain health information. However, it is possible the information is protected by other state or federal privacy laws, so it is always best to check.