The term PHI seems to be appearing more and more in connection with health data, but what exactly is PHI, and what information is included in the definition of PHI?
What is PHI
PHI stands for Protected Health Information. The term is frequently mentioned in the Health Insurance Portability and Accountability Act (HIPAA) and related legislation such as the Health Information Technology for Economic and Clinical Health Act (HITECH). PHI refers to any data relating to a patient, a patient´s healthcare or the payment for that healthcare that is created, received, stored, or transmitted by entities which are covered by HIPAA.
HIPAA-covered entities include mostly healthcare providers, health plans, healthcare clearinghouses and any third-party service providers or business associates who have access to Protected Health Information. Entities such as these must enforce measures to protect against the unauthorized disclosure, destruction or amendment of Protected Health Information as mentioned in the HIPAA Privacy Rule.
The Department of Health & Human Services´ Office for Civil Rights has given the following definition of PHI: ‘PHI is defined as any Personal Identifying Information that – individually or combined – could potentially identify a specific individual, their past, present or future healthcare, or the method of payment’. It is worth noting that PHI does not include information contained in education records or information that is maintained by healthcare organizations in their capacity as an employer.
The following is a list of eighteen unique identifiers that fall under PHI:
- Names
- Geographic data
- Telephone numbers
- Email addresses
- FAX numbers
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- All elements of dates
- Web URLs
- Internet protocol addresses
- Biometric identifiers (i.e. retinal scan, fingerprints)
- ID photos and comparable images
- Any unique identifying number, characteristic or code
PHI is no longer PHI once all eighteen unique identifiers are removed for marketing or research purposes. However, the data is still considered “protected” under the 1981 Common Rule. This is an Act of Congress that stipulates the baseline standard of ethics under which any government-funded research in the US is held. Regardless of funding, almost all U.S. academic institutions hold their researchers to this standard of ethics.
PHI and ePHI: what’s the difference?
ePHI is an acronym of electronic Protected Health Information. As the name suggests, it is related to any PHI that is created, received, stored, or transmitted electronically by entities which are HIPAA-covered. As a result of the ease in which electronically-stored data can be accessed and shared, ePHI is subject to both the HIPAA Security Rule and the HIPAA Privacy Rule. Additionally, it is also subject to the HITECH Act when a healthcare provider is a participant in the Meaningful Use program.
Primarily, the Security Rule consists of physical, technical and administrative safeguards to prevent unauthorized access and disclosure of ePHI. These safeguards should be paid close attention to by HIPAA-covered entities, as the penalties for a breach of the HIPAA Security Rule can be substantial. This can occur in some cases even when there has been no authorized access to, or disclosure of, PHI.
What is PHI in medical terms?
In HIPAA, PHI stands for protected health information. However, the term PHI is also commonly referred to when talking about patient health information or personal health information. This refers to any health information that is contained in a medical record that relates to an individual that has been created, received, used, or maintained by a HIPAA-covered entity for the purposes of providing healthcare services or payment for these healthcare services.
Interestingly, PHI could also be used to refer to private health insurance, permanent health insurance, public health informatics, a public health institute, and in medicine, the enzyme phosphoexose Isomerase.