Exploring PHI in HIPAA: What Does it Mean?

Protected Health Information (PHI) is any personal or medical information that can be used to identify a patient or their medical history. Attributes like Age, Name, Medical history, geographical location, insurance information, test results, 

Health Insurance Portability and Accountability Act (HIPAA) also classifies those attributes as PHI that contain mental conditions, pharmaceutical transactions, and any information from a patient’s past, present, and possible future data. Any attributes mentioned above, either in paper or electronic form, are considered PHI.

While these are a few attributes tagged as PHI, there are many others too. In this article, we talk in detail about what is considered PHI, the PHI data that doesn’t make it to the list, and the tips for managing it.

What is considered PHI as per HIPAA rules?

The HIPAA law has identified 18 attributes as PHI. While most of these attributes hold the potential to identify a patient individually, few of them have to be used in unison for identifying individuals.

Here are the 18 attributes:

1) Name

2) Phone Number

3) Dates (admission date, discharge date, appointment date etc.)

4) Fax details

5) email ID

6) SSN (Social Security Number)

7) MRN (Medical Record Number)

8) HPBN (Health Plan Beneficiary Number)

9) Medical Certificates

10) Licence details

11) VIN (Vehicle Identification Number)

12) Identifiers in Medical devices (Pacemaker)

13) Website URLs

14) IP Address

15) Biometrics (Fingerprint)

16) Full-face photographs or images with differentiators (facial scars, moles etc.)

17) Any other unique identifiers

18) Address (if it has information on the city, street, and house number)

Also check out: Complete guide on HIPAA compliance

What is not considered PHI?

Any information shared with Covered Entities or Business Associates that does not contain personal Health Information is not considered PHI.

For example, a urine sample sent to a hospital without patient details is not considered PHI.

Only when Personal Identifiable Information (PII) is shared with covered entities or business associates, qualifies as PHI. 

Examples of PHI

Any information that can be used to identify a patient is an example of PHI. Any of the 18 attributes mentioned above are perfect examples. How do those attributes look in real life? 

Here are a few examples:

• Address: Any address that has more than anything that the state of a patient is PHI
• Medical records: Any medical record with diagnosis codes on terminal and non-terminal diseases.
• Cliff notes and extra information the staff of medical services providers put in patient records
• Hospital Bills
• Health insurance information

How is PHI handled or managed?

The process of storing PHI in hospital records starts early for individuals. For instance, any baby born in a hospital is registered, and their personal information is added to the central medical repositories. Attributes like name, gender, age, height, weight, blood group, etc., are added. 

As the patient grows and visits hospitals for any medical assistance, the details of the visits are cataloged to help the next healthcare personnel get the context of the patient’s medical records. Details of allergies (if any) and more sensitive information like this could help the medical staff make informed decisions in critical scenarios.

Medical researchers and clinical scientists use PHI (without accessing identifiers) to analyze patient data and make health trends. These trends are also used to create programs designed to incentivize healthcare providers to provide better healthcare.

Also check out: HIPAA checklist

What is the difference between PHI and ePHI?

The significant difference between PHI and ePHI (electronic PHI) is the format in which the PHI is stored, processed, or transmitted. Any identifiable information shared or used by HIPAA-covered entities in physical form is called PHI.

Pro-tip:

HIPAA-covered entities should implement controls and policies to restrict access to physical patient data records.

ePHI has the same attributes as PHI. However, unlike PHI, ePHI is stored in electronic form, and covered entities and business associates should implement encryption protocols and train their staff on the best cybersecurity practices.

How can Sprinto help organizations secure their PHI and ePHI?

Sprinto is purpose-built to help organizations become HIPAA compliant regardless of the type of PHI they process. Sprinto enables organizations to set up the processes and policies required to enable security.

Organizations also leverage Sprinto’s built-in training modules to boost their internal teams with the latest cybersecurity best practices for securing data from bad actor instances.

FAQs

What are the 3 types of PHI?

PHI is often used in its physical form i.e printouts, physical reports, and medical logs. Apart from the physical form, it is also used in digital form where all the information is saved in computer-generated and computer-readable format, and lastly when it is shared orally among medical practitioners and medical service providers.

What are considered PHI identifiers?

Any information used to identify the patient can be considered as a PHI identifier. The most commonly used identifiers are Name, phone number, SSN, Date of birth, Medical certificates, License information, Vehicle registration details etc.