Understanding PHI under HIPAA should be a top priority in the health care industry. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities to safeguard clients’ protected health information (PHI). If your organization fails to do so, you might be severely penalized and lose clients.
Knowing what is considered PHI under HIPAA and implementing robust security measures is crucial for your business to avoid these ramifications and ensure patient privacy.
Table of Contents
Defining PHI Under HIPAA
According to the HIPAA Journal, PHI refers to any individually identifiable information about a patient’s health status (past, present, and future), future provision of health care, or payment for health care created or collected by a covered entity.
What constitutes PHI?
PHI under HIPAA includes three criteria:
- Health-related – Includes physical or mental health information, provision of healthcare, or payment for healthcare services. For example, “fever” and “medical record no. 123456789” are health information.
- Individually identifiable – Includes data that can be used to identify the patient. For example, “Paul has a fever” and “Mr. Jones’ medical record no. is 123456789” are identifiable health information.
- Held or transmitted by a covered entity or its business associates – Covered entities include individuals and organizations, such as health plans, clearinghouses, and healthcare providers. As a covered entity, you are responsible for securing your patient’s PHI. You can use the Covered Entity Decision Tool on the Centers for Medicare and Medicaid Services website to know if you are a covered entity. Business associates are third-party entities that handle PHI on your behalf, such as a software service that provides secure fax services.
These three criteria should be satisfied for information to be considered PHI. Therefore, when recorded by a covered entity, “Paul has a fever” and “Mr. Jones’ medical record no. is 123456789” are examples of PHI under HIPAA.
When sharing PHI, your healthcare organization should remove PHI identifiers to ensure that personal data cannot be traced back to the individual. The University of California San Francisco lists the following 18 identifiers, which should be removed for PHI to be de-identified. The HIPAA Journal also warns that this isn’t an exhaustive list since you can now use other identifiers such as emotional support animals, social media handles, and LGBTQ status.
You can add this list to your HIPAA compliance checklist.
- Name – This includes the individual’s first, last, middle, and other names.
- Geographic subdivisions smaller than a State – This includes street address, city, county, precinct, zip code, and their equivalent geocodes.
- Dates – This consists of all elements associated with dates (e.g., birth, admission, discharge, and death) except the year unless the patient is 89 and above.
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account numbers – This includes bank accounts, credit cards, and other financial account numbers.
- Certificate/license numbers – This includes driver’s license, passport, and government-issued identification numbers.
- Vehicle identifiers and serial numbers, including license registration numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers – This includes fingerprints, retina scans, and other unique physical characteristics.
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code – E.g., patient initials, military identification numbers, and health insurance plan numbers.
Different Types of PHI
PHI encompasses various forms of patient information. These forms of PHI under HIPAA include but are not limited to:
- Electronic PHI (ePHI) – PHI that you store or transmit through online fax or other digital devices.
- Written PHI – PHI in the form of handwritten notes, paper medical records, prescriptions, and other physical documents containing patient information
- Verbal PHI – PHI that is spoken during a doctor’s appointment, phone call, conversation with a friend, and the like.
Role of PHI in patient care
PHI plays a vital role in delivering effective and personalized patient care. You can diagnose patients and decide on treatment plans by accessing accurate and complete protected health information. You can also use this data to communicate with other healthcare providers, ensuring you give your patient the best quality of care.
PHI for research and policy making
PHI is also crucial for medical research and public health initiatives. Anonymized PHI helps researchers track a disease’s progress, develop new treatments, and strategize effective public policy. For example, during the COVID-19 pandemic, PHI helped healthcare providers track the spread of the virus, assisting public officials in creating appropriate public health guidelines.
HIPAA Rules for Protecting PHI
The US Department of Health and Human Services (HHS) uses the following HIPAA rules to safeguard a person’s PHI:
- Privacy Rule – requires HIPAA-covered entities to protect an individual’s PHI. It sets limits and conditions for disclosing PHI without an individual’s permission. Moreover, it gives your clients the rights over their PHI, including the right to examine, get a copy, and request corrections. This rule also gives them the right to ask you to transmit their records to a third party.
- Security Rule – requires you to put in place the appropriate administrative, physical, and technical measures to protect ePHI. Administrative safeguards are policies and procedures, like security awareness and training. Physical safeguards include policies controlling facility access and protecting data from environmental hazards. Technical safeguards include encryption, authorization, and emergency access procedures.
- Breach Notification Rule – comes into play during a HIPAA breach. It requires you to promptly notify affected individuals and report the breach to the Secretary of Health and Human Services and, in some cases, the media. If the breach was by your business associate, they must notify you no later than 60 days from discovery. Additionally, you must prove that you notified the required individuals and entities or that the unsecured PHI cannot be considered a breach.
Consequences of non-compliance with HIPAA PHI rules
Failure to comply with HIPAA regulations can have severe consequences for your organization. Violations may result in financial penalties, damage to your reputation, and lawsuits. Moreover, ignoring HIPAA rules and delaying required actions can result in stiffer penalties.
Future of PHI Under HIPAA
As technology advances, knowing what is PHI under HIPAA and safeguarding PHI will become an even more critical aspect of any healthcare provider. Digital means to access, maintain, and transmit health records are more efficient and less costly. However, using them means adding robust security measures, such as using HIPAA-compliant faxing solutions and providing HIPAA training to staff.
By safeguarding PHI under HIPAA regulations, you can maintain patient trust and avoid legal and financial problems in the future.