Protected health information – or PHI – is often referred to when discussing HIPAA and healthcare, but what does this constitute?
What is Referred to as Protected Health Information Under HIPAA Law?
If you are employed in healthcare or are thinking about working with healthcare clients that requires access to health data, you will need to know what is referred to as protected health information under HIPAA legislation. The HIPAA Security Rule requires that security measures be put in place ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places restrictions on the uses and disclosures of PHI.
To breach any of the provisions in the HIPAA Privacy and Security Rules and you could be hit with a financial penalty or even a criminal penalties. Saying that you were not aware of HIPAA law is not a valid defense.
Under HIPAA, protected health information is identified as to be individually identifiable information that refers to to the health status of a person, the provision of healthcare, or individually identifiable information that is created, collected, or sent by a HIPAA-covered body in relation to payment for healthcare.
Health information including diagnoses, treatment information, medical test results, and prescription data are thought of as protected health information under HIPAA, as are national identification numbers and demographic details including dates of birth, gender, ethnicity, and contact and emergency contact data. PHI refers to physical records, while ePHI is any PHI that is created, stored, transmitted, or received digitally.
PHI only refers to data on patients or health plan subscribers. It does not incorporate information included in educational and employment records.
PHI is only thought of as PHI when a person could be identified from the data. If all identifiers are taken away from from health data, it is no longer protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer are in place.
List of PHI Patient Identifier Data Elements
PHI is any type of health information that includes these 18 identifiers. If these identifiers are taken away the information is though to be de-identified protected health information, which is not subject to HIPAA Rules.
- Patient Names (Full or last name and initial)
- All geographical or location identifiers smaller than a state, apart from the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by putting together all zip codes with the same three initial digits includes over 20,000 people; and the initial three digits of a zip code for all such geographic units including 20,000 or fewer people is changed to 000
- Specific Dates (other than year) directly related to an individual
- Contact Phone Numbers
- Contact Fax numbers
- Personal or Work Email addresses
- Patient Social Security numbers
- Medical record numbers that refer to patients
- Beneficiary numbers for health insurance
- Patient Account numbers
- License/certificate numbers
- Vehicle identifiers, including specific serial numbers and patient license plate numbers
- Computer/device identifiers and serial numbers;
- Internet URLs (Uniform Resource Locators)
- IP Addresses
- Finger, retinal and voice prints and all biometric identifiers
- Full facial photo images and any comparable graphics
- All other unique identifying numbers, characteristics, or code apart from the unique code given by the investigator to code the data
How Must you Protect Health Information?
The HIPAA Security Rule requires covered bodies to safeguard against reasonably anticipated dangers to the security of PHI. Bodies must put in place safeguards to ensure the confidentiality, integrity, and availability of PHI, although HIPAA is not technology specific and the precise safeguards that should be put in place are left to the discretion of the covered body.
HIPAA demands physical, technical, and administrative safeguards to be put in place. Technologies including encryption software and firewalls are included in technical safeguards. Physical safeguards include maintaining physical records and electronic devices including PHI under lock and key. Administrative security measures include access controls to restrict who has access to PHI and security awareness classes.