To anyone running a healthcare practice, understanding Protected Health Information (PHI) is of the utmost importance. HIPAA regulates the handling of PHI, with fines imposed for HIPAA violations. Beyond being monetarily costly, HIPAA violations can damage a practice’s reputation and patient trust. And the first step to avoiding HIPAA violations is, of course, knowing what PHI is.
In this post, we’ll explain what PHI is, what the storing, transmitting, and maintenance of PHI means for your practice, and much more on the subject.
What is PHI in Healthcare?
PHI is individually identifiable health information protected by the Health Insurance Portability and Accountability Act (HIPAA). PHI relates to the contents of a patient’s health record—charts, lab results, health history, and more—as well as personal information identifiable to them.
Information is considered PHI if it’s created, used, or disclosed by a HIPAA-covered entity in the course of providing care to an individual. This includes using the information for healthcare payment processing, invoicing, and payment posting.
What does PHI stand for?
PHI stands for “protected health information.” Many people may think PHI stands for “personal health information,” but it does not since HIPAA deems certain kinds of health information protected by law.
In order for health data to be considered PHI, and for it to be regulated by HIPAA, it needs to be:
- Information that is personally identifiable
- Used or disclosed to a HIPAA-covered entity during the course of care
Protected Health Information Examples
So, what is PHI by HIPAA regulations? Examples of protected health information include:
- Films
- Charts
- Paper records
- Medications
- EHR/EMRs
- lab test results
- An MRI scan
- Blood test results
- Health histories
- Diagnoses
- Treatment information
- Insurance information
- Allergies
The types of personal information covered include:
- Unique identifiers
- Demographic information
- Billing information
- Emails to your doctor’s office
- Prescription refill information
- Appointment scheduling
- Phone records
Protected health information includes
HIPAA-covered entities are only permitted to share a patient’s PHI for the purposes of treatment (or other healthcare operations). To do so, the entity must first obtain authorization.
As a rule of thumb, any information relating to a person’s health becomes PHI. This often means that all email records, lab results, and bills make up PHI. Note that a verbal conversation or recording that includes any identifying information is also considered PHI.
The Difference Between Protected Health Information and Consumer Health Information
For some developers, determining whether an application collects PHI is critical to determining if HIPAA compliance requirements need to be met. So, how do you know if you’re dealing with protected health information or consumer health information?
Protected health information does not include
Some examples of data not considered PHI are:
- Health information like steps in a pedometer, calories burned, etc.
- Blood sugar readings (without usernames/PII)
- Heart rate readings (without usernames/PII)
- Biometric data collected on local devices only
- Education records
- Employment records
- A HIPAA covered entity’s own employee records
The reason that health trackers and applications do not need to be HIPAA compliant is that they cannot, or do not, transmit the data from the device to a HIPAA-covered entity.
However, if you wanted to share health information collected by a tracker with your doctor—many are able to do this now—it would fall under HIPAA.
What is ePHI?
In our modern world, the vast majority of patient information is stored, transmitted, and/or maintained in an electronic form and is covered by HIPAA. Therefore, ePHI is simply protected health information stored electronically, either locally or in the cloud. Any HIPAA information stored or transmitted via desktop, web, mobile, wearable, or other technology such as email or text messages, is ePHI.
This includes individually identifiable health information created, maintained, or transmitted by mobile (mHealth) and electronic (eHealth) devices. Therefore, when people talk about PHI today, they’re almost always referring to ePHI records. People use these terms interchangeably.
Difference between PII, PHI and IIHI
There are a few differences in terms that are worth noting, however. For example, healthcare workers commonly refer to PII and IHII. What do these terms mean?
While PHI is an acronym of protected health information, PII is an acronym of “personally identifiable information.” Personally identifiable information is also sometimes referred to as individually identifiable health information (IIHI). This is any health information identifying the patient, whether or not protected by HIPAA.
Only when the two come together does it qualify as PHI. For example, when a health diagnosis—like high blood pressure—also includes an identifier that links or can link the information back to a specific patient, it becomes protected under HIPAA and is considered PHI/IIHI.
What Are Covered Entities Under HIPAA?
A HIPAA-covered entity is any provider of services related to the treatment, payment, and operations of the healthcare industry. According to the U.S. Department of Health & Human Services (HHS), they include:
- Healthcare Providers including doctor’s offices, dental offices, clinics, psychologists, nursing homes, pharmacies, hospitals or home healthcare agencies
- Healthcare Clearinghouses acting as the go-between for healthcare providers and insurance companies
- Health Insurance Companies including HMOs, PPOs, Medicare, and Medicaid
- Government programs that pay for healthcare
- Healthcare plans, as well as employer plans and student healthcare plans
- Healthcare Payment Providers
All covered entities using PHI as part of their patient care must be HIPAA compliant. Additionally, business associates of covered entities also utilizing PHI must be HIPAA compliant.
Here are some examples of HIPAA-covered business associates that also need to comply with HIPAA standards:
- Data processing firms or software companies exposed to or using PHI
- Medical equipment service companies handling equipment that holds PHI
- Shredding and/or documentation storage companies
- Consultants
- Auditors
- External auditors or accountants
- Professional translation services
- Answering services
- Accreditation agencies
- ePrescribing services
- Medical transcription services
- Attorneys
By comparison, these business associates are not covered:
- The covered entity’s own employees/workforce
- Contractors, associates, or utilities with limited exposure to records, such as a telephone company, plumber, etc.
- Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.
Protected Health Information Misconceptions
There are some enduring misconceptions about HIPAA and PHI on both the patient and the administrative side of healthcare services that can cause confusion across the systems. Be aware that:
- HIPAA doesn’t protect all healthcare information
- There is no way to opt out of HIPAA compliance requirements
- There is no “safe harbor” when it comes to HIPAA and PHI
- Not signing a Business Associate Agreement doesn’t absolve you of the HIPAA-compliance provisions
- Not every improper disclosure of PHI qualifies as a breach
- A patient’s written statement to release data must adhere to certain requirements
- HIPAA does not require retaining records for six years
- Health information can be subject to state laws and/or employer restrictions outside of HIPAA
- There is some confusion around PHI and information recorded in healths such as heart rate data and the data include personal identifiers. However, HIPAA doesn’t always cover the data collected by these apps and trackers.
PHI Healthcare Apps
Sometimes classified as business associates of HIPAA entities, application developers that collect or allow users to input health data ride a fine line between covered and not covered by HIPAA. So, app developers need to evaluate the types of information they collect very carefully.
If your application collects any PHI, whether by design or not, it must be HIPAA compliant. You cannot simply declare that the intent wasn’t to collect or store PHI on the application. A HIPAA-hosting environment is one way to ensure you’re meeting the physical safeguards of the law, but compliance also requires some technical, physical, and administrative criteria as well [1].
Is the information collected by apps and wearable technology considered PHI?
Personal health information collected or stored by the manufacturer of a product or the developer of an app does not constitute PHI. But, if a healthcare organization collects this same data, then it would become PHI.
Wearable devices with biometric feedback and/or health-tracking software that collect health information, but do not plan on sharing it, do not need to be HIPAA compliant. However, the trend in mobile health data collection leans toward the sharing of health data with health care providers, making it PHI by definition.
PHI and HIPAA
Why all the trouble and fuss? You may use someone’s personal health information against them in several ways. Blackmail, cybercrime, black market meds, and identify theft could all result from data breaches caused by HIPAA noncompliance.
Any suspected violation comes under careful scrutiny. The consequences are hefty fines.
How HIPAA compliance can help protect PHI data breaches
The cost of a data breach, as well as PHI leaking outside the organization for malicious and illegal purposes, can devastate an organization. There’s no room for error or noncompliance. The responsibility lies with each organization to accurately train their teams.
Regular training courses for healthcare teams are essential. Look to learning and development programs, exams and certifications, and HIPAA’s training and exam courses.
When are you allowed to share HIPAA-covered information?
HIPAA’s strict policies and PHI’s “protected” status make it seem as if at no point PHI may be used, shared, or transmitted. But it’s quite the contrary. In fact, you must legally divulge PHI when:
- A patient requests access to their own information
- The Department of Health and Human Services requess information in the case of an investigation
- Used by a covered entity for its own operational purposes and business activities
- A patient is infected or exposed to infectious disease, as required by the CDC [2]
De-identifying data
Analyzing data can result in incredibly useful findings, especially in healthcare. Should an organization wish to use PHI for statistics, for example, they first need to de-identified the PHI. Meaning, the data used must have all identifiers removed so that it can in no way link an individual. After that point, it’s no longer PHI, so it’s safe and permissible to use.
Obtaining copies of PHI
The HIPAA Privacy Rule permits patients may obtain copies of PHI held by a covered entity by requesting copies stored by the covered entity for the provision of treatment or payment of care [3]. This rule includes information held and used to make decisions about a patient’s enrollment, payment, claims adjudication, or health plan management.
Final Thoughts
PHI includes both information that is personally identifiable to the patient, as well as related to the health of an individual. Having that sensitive information fall into the wrong hands would be a terrible breach of a patient’s trust. It’s critical you not only understand HIPAA laws and exactly what PHI is, but that you use secure online invoicing software to ensure HIPAA compliance.
Sources:
- HHS.Gov. “Training Materials“. Accessed January 18, 2022.
- U.S. Department of Health and Human Services. “COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities“. Accessed January 18, 2022.
- HHS.Gov. “Summary of the HIPAA Security Rule“. January 18, 2022.
Leave a Reply