Terms such as PHI and PII are often mentioned in healthcare, but what do they refer to and what details do they include?
PHI is an abbreviation of Protected Health Information, while PII is an acronym of Personally Identifiable Information. Before describing these terms, it is important to first explain what is meant by health information, of which protected health information is part..
Health information is information refers to the provision of healthcare or payment for healthcare services that is provided by a healthcare provider, public health authority, healthcare clearinghouse, health plan, business associate of a HIPAA-covered entity, or a school/university or staff member.
Health information refers to previous, current, and future health conditions or physical/mental health that is related to the provision of healthcare services or payment for those treatments.
Personally identifiable information (PII) or individually identifiable health information (IIHI) refers to any health information that allows the patient to be identified. For instance, a health diagnosis such as Asthma PII when it includes an identifier that links the information to an individual patient, or when there is a reasonable basis to believe the information could be used to name a patient.
What is Thought of as PHI?
Protected health information is individually identifiable health information that is held in electronic form, electronically transmitted by HIPAA-covered entity or business associate of a HIPAA covered body, or transmitted and maintained in any form, including films, charts, and other paper documents. PHI refers to HIPAA covered entities, but does not include education records or employment histories.
So what is thought of as PHI by HIPAA? PHI incorporates health records such as EHR/EMRs, lab test results, health histories, diagnoses, treatment details, insurance data and lists of allergies are all considered PHI, as are unique identifiers and demographic specifics. If information is created, implemented, or shared by a HIPAA covered entity in the course of providing care to an individual, or is used along with payment for care, it is thought of as PHI and is subject to strict controls over its allowable uses and disclosures.
Permissible Uses and Disclosures of PHI
The HIPAA Privacy Rule states that the permissible uses and disclosures of PHI. HIPAA-covered entities are only allowed to share PHI for the purposes of treatment or for healthcare operations without first obtaining authorizations to share the information from patients. The definitions of treatment and healthcare operations are located in 45 CFR 164.501.
Getting Copies of PHI
The HIPAA Privacy Rule also allow patients to obtain copies of the PHI managed by a covered entity. In such cases, a request must be made to the covered entity to supply copies of PHI that is stored in a designated record set. The designated record set will include information that is used by the covered entity for the provision of treatment or payment of care, information that is saved and used by a covered entity to make decisions about a patient or for enrollment, payment, claims adjudication, or health plans, data in case or medical management record systems.