The safeguarding of Protected Health Information is one of the central tenets of the Health Insurance Portability and Accountability Act of 1996. But what is PHI? What are examples of Protected Health Information?
Protected Health Information was defined under the HIPAA Privacy Rule of 2002 as any information relating to the provision of healthcare that can be used to identify the patient in question. The information can be written, verbal, or electronic, and must relate to a past, present, or future health condition (or the treatment or payment for that condition).
Crucially, the data must be generated, received, or maintained by a HIPAA Covered Entity or their Business Associates. Covered Entities organisations include health plans, healthcare providers, or healthcare clearinghouses, while Business Associates are any third party that has entered into a Business Associate Agreement with these organizations.
This means that health data collected by personal wearable devices or apps, for example, does not count as PHI as the company that created the device is not a Covered Entity. Only if the developer has entered into a BAA with a CE (e.g. if a hospital commissioned the development of an app), or the data was handed over by a patient, would it then be considered to be PHI.
But how is PHI different from other health data? What are examples of Protected Health Information specifically? One of the key details we mentioned about PHI is that it is individually identifiable.That is, it must contain one of the 18 HIPAA identifiers which means that the patient in question could be traced. The HIPAA identifiers are as follows:
- Address (all geographic subdivisions smaller than the state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic images
- Any other characteristic that could uniquely identify the individual
The presence of these identifiers, irrespective of how “generic”, renders health information as PHI. That means that the email address email@example.com is equally as protected as firstname.lastname@example.org. Even though the first ostensibly does not contain any identifying information, it is not actually difficult to trace the owner of the address. Additionally, it would be impractical to distinguish between how “generic” pieces of data were, as it is likely highly subjective.
It is, however, possible to remove all HIPAA identifiers and “anonymize” the PHI. This means that it is no longer subject to HIPAA.
But what types of information, when presented in conjunction with these data, are examples of PHI? Everything from MRI scans or x-rays to prescriptions, diagnoses, bills, health insurance premiums etc. is considered examples of PHI, so long as it meets the definition we have outlined in this article.