What is Considered to be Protected Health Information?

What is Considered to be Protected Health Information?

Protected Health Information, also known as PHI, is protected under HIPAA Law, which requires the implementation of safeguards to ensure the integrity, confidentiality, and availability of PHI, while complying with the HIPAA Privacy Rule. The Privacy Rule puts limits on the disclosures and uses of PHI. There are serious financial penalizations and criminal penalties for violations of any of the provisions of the HIPAA Privacy and Security Rules; and claiming ignorance of the rules is not considered to be a valid defense.

PHI Defined

PHI is a short term for a broad group of protected health information. PHI is any information that is considered as individually identifiable that relates to health status of past, present, and future that is created, collected, or transmitted, or maintained by a HIPAA-covered entity as it relates to the provision of healthcare, healthcare services payments, or use in healthcare operations (PHI healthcare business uses).

PHI health information such as treatment information, diagnosis, results of medical tests, and prescription information are considered as protected health information under HIPAA, as well as the national identification numbers, demographic information such as gender, birth dates, ethnicity, and contact information for emergencies. PHI relates to physical records, while ePHI is any PHI that is electronically stored, created, transmitted, or received.

PHI only relates to patient information or health plan members and doesn’t include such data that is contained in employment records and education. This includes any health information that is maintained by a HIPAA covered entity that acts as an employer.

18 Identifiers of PHI:

Health information that be tied to an individual, which, under HIPAA means protected health information includes one or more of the following eighteen identifiers. If/when the identifiers are removed the information is reclassified as de-identified protected health information and is not subject to the HIPAA Privacy Rule restrictions:

1. Names (Full or last name and initial)
2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
3. Dates (other than year) directly related to an individual
4. Phone Numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers (including serial numbers and license plate numbers)
13. Device identifiers and serial numbers;
14. Web Uniform Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Previous and Next Pages

Parent page – Safety & Compliance Training