HIPAA Series #2: What is Protected Health Information (PHI) Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is an important U.S. federal legislation for protecting patient’s privacy. It lays down stringent rules for storing, handling, and transmitting the sensitive healthcare records of patients.

In this article, we will talk about this patient data and the HIPAA regulations around it.

Protected Health Information (PHI)

Protected Health Information (PHI) is a patient’s health record, including medical history, existing physical and mental health conditions, laboratory results, insurance information, and other healthcare data that can identify a specific individual. Since healthcare records contain sensitive information, the entities collecting and handling them must protect them from unauthorized access.

PHI Identifiers

Every PHI must have the following 18 identifiers. Note that any health information without the below identifiers is not considered as PHI.

These identifiers are:

1. Patient name.
2. Geographical identifiers, including street, zip code, city, county, country, etc.
3. All dates that relate to an individual like date of birth, date of admission to a healthcare facility, exact age of a patient who is over 89 years, and more.
4. Phone numbers
5. Fax numbers.
6. Email addresses.
7. Social Security Numbers.
8. Medical record numbers or identifiers.
9. Health insurance beneficiary numbers.
10. Bank account numbers.
11. Any certificate or license numbers that can identify an individual.
12. Vehicle identifiers, including license plates.
13. Device identifiers, including serial numbers.
14. Digital identifiers like website URLs.
15. IP addresses.
16. Biometric identifiers like finger and retina.
17. Full-face photos.
18. Any other unique characteristic, code, or number that can be traced to a specific individual.

Who is it Applicable For?

Every entity deemed a “covered entity” under HIPAA must safeguard PHIs. According to HIPAA, the following organizations and people are covered entities.

• Healthcare providers like doctors, nurses, dentists, chiropractors, nursing homes, pharmacies, clinics, and psychologists.
• Health insurance companies, HMOs, Company health plans, and government programs like Medicare, Medicaid, and military and veterans’ healthcare plans.
• Healthcare clearinghouses.

Additionally, any individual or organization that has a business agreement with the above-mentioned covered entities, called a business associate, must also take measures to protect PHI.

Failure to handle PHI as per HIPAA’s provisions can attract heavy fines and penalties.

Considerations in Handling PHI

PHI is central to HIPAA because it is highly significant in healthcare. After all, if it falls into the wrong hands, deliberately or accidentally, it can have negative consequences for the concerned patient. Moreover, PHI shapes the interaction between a patient and a healthcare provider, and the resulting outcomes like diagnosis and treatments.

In some cases, healthcare providers may face a dilemma in handling PHI, especially if the patient is a celebrity or public figure. In such cases, the healthcare provider must balance between protecting a patient’s privacy and the public’s right to know.

Another key consideration is the use of technology in healthcare and the resulting impact on PHI. While HIPAA lays down guidelines for electronically transferring PHI, also known as ePHI, it does not yet provide guidelines for using technologies like 3D printing and the potential privacy implications.

Due to these considerations, covered entities and their business associates have to exercise utmost caution while handling, storing, and transmitting PHI.

Next, let’s see some actionable tips for protecting PHI’s security and privacy.

12 Actionable Tips to Safeguard PHI

Here are twelve tips to safeguard PHI from unauthorized access:

1. Develop clear policies for handling PHI and educate employees on the proper procedures for maintaining confidentiality.
2. Use role-based access controls to minimize who can view PHI.
3. Regularly train employees on HIPAA compliance and the importance of protecting PHI.
4. Use encryption to protect digital PHI both at rest and during transmission.
5. Implement strong password policies and multi-factor authentication to add layers of security when accessing PHI.
6. Regularly monitor and audit who accesses PHI and what they do with it. This helps detect unauthorized access or suspicious activity.
7. Secure physical locations where PHI is stored. This could mean using locks, security cameras, or restricted access areas.
8. Ensure that mobile devices used to access PHI have appropriate security measures like encryption, remote wiping, and secure connections.
9. Regularly back up data and ensure backups are secure. This helps recover data in case of data loss or a security breach.
10.  Keep up-to-date with HIPAA regulations and changes. Regularly review and update policies and practices to stay compliant.
11. Use anonymized data where possible to limit exposure to PHI. This data is sufficient when used for research purposes.
12. Implement data masking while transmitting data to external entities.

Thus, these are some things you can do to safeguard PHI.

Final Words

Protected Health Information (PHI) is a healthcare record that can identify a specific individual and include 18 identifiers mentioned above. If you are a covered entity or have a business agreement with the covered entity, you must safeguard PHI, failing which you can pay heavy fines. We hope the actionable tips act as a good starting point to protect PHI.