What Is Protected Health Information (PHI)?
Section 1. Defining PHI
What is Protected Health Information? The privacy rule under HIPAA defines PHI as:
"Individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral".
PHI is a broad term that includes any past, present or future information regarding evaluation, treatment, or medical services in which there is personally identifiable information on file. This includes mental and physical health services, as well as laboratory and complementary health services. Also included in this definition is any payment information related to past, present, or future medical services.
Basically, if there is the ability to personally identify the patient based on information stored or transmitted in the above situations, this qualifies as PHI.
The following items can be used to identify the patient and are therefore classified as PHI:
- Date of Birth
- Admission and discharge dates
- Phone number
- Street address, zip code, or county
- Email address
- Social security number
- Birth certificate number
- Drivers license number
- Medical records number
- Treatment dates and lists of services rendered
In addition to the above, PHI includes any single item of information in which it is reasonably or explicitly possible to identify the patient. Under the privacy rule, safeguards must be in place to prohibit unauthorized use of PHI and limited access by employees of the covered entity based on a need-to-know basis.
Section 2. De-identified Health Information
Health information that has been de-identified can be freely shared and is not subject to HIPAA regulation. De-identified means that there is no longer any information that could reasonably be used to identify the patient. This can be done by removing the personally identifiable information, including information about other members of the patient's family. This includes unique information, such as insurance identification numbers, as well as information about the patient's employer, recent medical services rendered, or medications prescribed.
It is up to the covered entity to certify that PHI has been sufficiently de-identified and to maintain strict controls around the access and transmission of personally identifiable information. There are two specific means of de-identifying PHI, according to HIPAA standards:
- HIPAA's "safe harbor" standard states that PHI is considered de-identified if all of the unique identifiers above have been removed, and there is no reasonable basis to believe that the remaining information could be used to identify a person.
In order to link records or transactions to specific individuals in the absence of personally identifying information, the covered entity will usually assign an alphanumeric code to the patient record, which does not identify the patient to outside entities, but can be matched up with personal patient data for internal uses approved by HIPAA.
- The "statistical" standard requires examination of the data by a statistician or individual qualified to evaluate the likelihood of that the available information could be reasonably used to identify the patient. The statistician must document the process for evaluating the data and certify that the information on its own, or combined with other data, has a low likelihood of identifying the patient.
Section 3. Examples of PHI in Use
When an individual visits a medical facility, they fill out intake forms which include a notice of the facilities privacy practices under HIPAA. The patient must sign a form authorizing the facility to use their personal information in order to perform services and submit bills for services rendered.
Some of the ways in which protected health information may be used after it is obtained include the following:
Scenario 1 - When you visit your physician, there is often information obtained by a nurse, physician, or dietitian that is added to your patient record. The information is personal to you and it may be possible to identify you based on the information provided, either on its own, or in conjunction with other information. This personal information will be used to evaluate your condition and develop a treatment plan if necessary. There may be numerous individuals in the office with access to the data, however they are considered covered entities as they are participants in your treatment and care.
Also, your doctor may correspond with other health care providers outside of his office regarding your treatment. This can include specialists, laboratory personnel, and your health plan. However, this is permissible, as the privacy rule allows standard communications regarding patient information between two covered entities.
Scenario 3 – A medical practice must conduct periodic reviews of patient records in order to ensure that the best possible care is being administered by the facility. Reviews of medical records, as well as physician diagnosis and treatment plans and eventual outcomes, may be conducted in an effort to evaluate medical staff and the overall level of care.
In this scenario, the reviews conform to HIPAA privacy standards, as they are carried out by employees of the facility -- a covered entity. This type of role is usually assigned to a quality manager or senior doctor, which further minimizes the misuse of personal health information.
Food for Thought
Do you think the list of items that qualify as PHI is exhaustive enough? What else might be added?
The HIPAA privacy rule goes to great lengths to ensure the reduction of fraud and abuse through regulating the use of personally identifiable health information. Covered entities must ensure compliance with privacy rule standards, or ensure that the information has been de-identified before transmitting to other parties.