Blog
HIPAA
what is PHI in HIPAA

What Is PHI in HIPAA: 18 Identifiers With Examples (2024)

Sep 21, 2024
What is PHI in HIPAA

Protected Health Information (PHI) is any personal or medical information that can be used to identify a patient or their medical history. HIPAA’s Privacy Rules sets the standards on how PHI can be used and transmitted by while protecting patients’ privacy. 

Health Insurance Portability and Accountability Act (HIPAA) also classifies those attributes as PHI that contain mental conditions, pharmaceutical transactions, and any information from a patient’s past, present, and possible future data. Any attributes of personal health records either in paper or electronic form, are considered PHI.

While these are a few attributes tagged as PHI, there are many others too. In this article, we talk in detail about what is considered HIPAA-protected health information, the PHI data that doesn’t make it to the list, and the tips for managing it.

What is PHI? (Protected health information)

Protected Health Information (PHI) refers to any data, such as treatment details, insurance information, billing data, or health records associated with an individual. It also includes identifiers such as IP addresses, email addresses, phone numbers, Social Security numbers, license numbers, and biometric data that can directly identify the individual.

HIPAA-protected health information is also referred to as “Individually identifiable health information” and includes information relating to:

  • The individual’s physical or mental health condition at any time (past, present, or future)
  • The medical care provided to the individual
  • The payments made for the individual’s health care (past, present, or future)

The Privacy Rule of HIPAA provides guidelines on how PHI is to be used, stored, or transmitted by the covered entities while protecting the privacy rights of individuals.

What is considered PHI as per HIPAA rules?

The HIPAA law has identified 18 attributes as PHI. While most of these attributes hold the potential to identify a patient individually, few of them have to be used in unison for identifying individuals.

PHI attributes under hipaa

Here are the 18 attributes:

1) Name

2) Phone Number

3) Dates (admission date, discharge date, appointment date etc.)

4) Fax details

5) email ID

6) SSN (Social Security Number)

7) MRN (Medical Record Number)

8) HPBN (Health Plan Beneficiary Number)

9) Medical Certificates

10) Licence details

11) VIN (Vehicle Identification Number)

12) Identifiers in Medical devices (Pacemaker)

13) Website URLs

14) IP Address

15) Biometrics (Fingerprint)

16) Full-face photographs or images with differentiators (facial scars, moles etc.)

17) Any other unique identifiers

18) Address (if it has information on the city, street, and house number)

Also check out: Complete guide on HIPAA compliance

What is not considered PHI?

Any information shared with Covered Entities or Business Associates that does not contain personal Health Information is not considered PHI.

For example, a urine sample sent to a hospital without patient details is not considered as HIPAA-protected health information.

Only when Personal Identifiable Information (PII) is shared with covered entities or business associates, qualifies as PHI. 

Examples of PHI

Any information that can be used to identify a patient is an example of PHI. Any of the 18 attributes mentioned above are perfect examples. How do those attributes look in real life? 

Here are a few examples:

  • Address: Any address that has more than anything that the state of a patient is PHI
  • Medical records: Any medical record with diagnosis codes on terminal and non-terminal diseases.
  • Cliff notes and extra information the staff of medical services providers put in patient records
  • Hospital Bills
  • Health insurance information

How is PHI handled or managed?

The process of storing PHI in hospital records starts early for individuals. For instance, any baby born in a hospital is registered, and their personal information is added to the central medical repositories. Attributes like name, gender, age, height, weight, blood group, etc., are added. 

As the patient grows and visits hospitals for any medical assistance, the details of the visits are cataloged to help the next healthcare personnel get the context of the patient’s medical records. Details of allergies (if any) and more sensitive information like this could help the medical staff make informed decisions in critical scenarios.

Medical researchers and clinical scientists use PHI (without accessing identifiers) to analyze patient data and make health trends. These trends are also used to create programs designed to incentivize healthcare providers to provide better healthcare.

Also check out: HIPAA checklist

What is the difference between PHI and ePHI?

The significant difference between PHI and ePHI (electronic PHI) is the format in which the PHI is stored, processed, or transmitted. Any identifiable information shared or used by HIPAA-covered entities in physical form is called PHI.

Pro-tip:

HIPAA-covered entities should implement controls and policies to restrict access to physical patient data records.

ePHI has the same attributes as PHI. However, unlike PHI, ePHI is stored in electronic form, and covered entities and business associates should implement encryption protocols and train their staff on the best cybersecurity practices.

How can Sprinto help organizations secure their PHI and ePHI?

Sprinto is purpose-built to help organizations become HIPAA compliant regardless of the type of PHI they process. Sprinto enables organizations to set up the processes and policies required to enable security.

Organizations also leverage Sprinto’s built-in training modules to boost their internal teams with the latest cybersecurity best practices for securing data from bad actor instances.

Join Sprinto’s 450+ satisfied compliance conquerors

FAQs

How many elements of information are identified as PHI?

HIPAA identifies 18 elements of information as PHI, also called HIPAA identifiers. These include past medical records, names, phone numbers, email addresses, or any other record that can relate to a specific person. 

What format of records is considered as PHI by HIPAA?

HIPAA considers any record format as PHI, including (but not limited to) written, oral, or electronic information. Physical or digital images of health information, charts, graphs, diagrams, etc. 

What is PHI used for?

Protected Health Information (PHI) is used to identify and manage an individual’s health care records, facilitate treatment, coordinate care, and process payments for health services. It should be done while ensuring privacy and confidentiality in compliance with HIPAA requirements.

What are the 3 types of PHI?

PHI is often used in its physical form i.e printouts, physical reports, and medical logs. Apart from the physical form, it is also used in digital form where all the information is saved in computer-generated and computer-readable format, and lastly when it is shared orally among medical practitioners and medical service providers.

What are considered PHI identifiers?

Any information used to identify the patient can be considered as a PHI identifier. The most commonly used identifiers are Name, phone number, SSN, Date of birth, Medical certificates, License information, Vehicle registration details etc.

Vimal Mohan

Vimal Mohan

Vimal is a Content Lead at Sprinto who masterfully simplifies the world of compliance for every day folks. When not decoding complex framework requirements and compliance speak, you can find him at the local MMA dojo, exploring trails on his cycle, or hiking. He blends regulatory wisdom with an adventurous spirit, navigating both worlds with effortless expertise

How useful was this post?

4.5/5 - (2 votes)

Tired of fluff GRC and cybersecurity content? Subscribe to our newsletter and get detailed
research & insights curated to help you earn a seat at the table.