Protected Health Information (PHI) is basically the personally identifiable health information that is protected and regulated by the Health Insurance Portability and Accountability Act, better known as HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) was filed or rather written 20 years ago when smartphones were a distant reality.
Therefore, everything related to this act was penned down for mostly an analog world of physical X-rays and even paper files. And in today’s era of wearables, genetic sequencing, health apps, and much more, getting a proper and precise definition of PHI can be quite difficult to understand, especially for the developers who are trying to parse or figure out whether they need to be HIPAA compliant or not.
The HIPAA privacy and protection rules assist in governing protected health information that includes information associated with a patient’s physical or mental health. HIPAA and PHI need to follow strict guidelines and requirements for storing, transmitting, and disposing of patient data with utmost privacy.
When pieces of data become identifiers of PHI, patents automatically acquire the legal rights to the security and privacy of that information. PHI and HIPAA regulate certain information that can be shared freely amongst patients. Several businesses manage and generate PHI information list in medical billing, hospitals and provider offices, pharmacies, insurance providers, psychologists, and more.
Through this post, we hope to provide a clearer picture of what exactly is PHI or Protected Health Information and what is not considered PHI. And hopefully, you as a healthcare software developer can use the information below as a reference while determining if all the information you are collecting for your digital health solution falls under PHI or not.
Covered Entities and Business Associates
Before we proceed further to talk about the definition of PHI, what information constitutes PHI and what doesn’t, let’s first understand two major definitions under HIPAA and those are – Business Associates and Covered Entities.
A covered entity is a person who provides treatment, payment, as well as operations in the healthcare sector. According to the U.S. Department of Health & Human Services (HHS), healthcare providers, health plans, and healthcare clearinghouses fall under the covered entities. The healthcare providers usually include doctors, clinics, dentists, psychologists, nursing homes, pharmacies, chiropractors, and last but not the least, hospitals.
Health plans include health insurance companies, company health plans, HMOs, Medicare & Medicaid. Schools and employers that handle PHI to enroll their employees and students in any sort of health plan also fall under the definition of a Health Plan.
Here’s a complete list of entities that come under covered entities:
- Dental and doctors’ offices, clinics, psychologists
- Insurance companies, health plans, HMOs
- Pharmacies, nursing homes, home healthcare agencies, or hospitals
- Healthcare clearinghouses
- Government programs that contribute toward healthcare
A business associate is nothing but a subcontractor or a vendor who has access to protected health information (PHI). However, if defined in a more legalized way, a business associate is an entity that discloses or uses PHI on behalf of a covered entity. In case the legalized definition is complex, here’s a very simple and crisp definition- a business associate can be defined as a person who performs or assists in performing certain activities involving the use or disclosure of PHI, on behalf of the covered entity.
Business Associates can be providers of data transmission services, document or data storage services (it hardly matters if they can view the PHI they maintain), portals, or other interfaces specially created on behalf of the covered entities that allow the patients to share their health-related data with the covered entity, as well as other electronic health information exchanges.
What is Considered PHI?
PHI stands for Protected Health Information, which is any information that is related to the health status of an individual. This can include the provision of health care, medical record, and/or payment for the treatment of a particular patient and can be linked to him or her. The term “information” can be interpreted in a very broad category and the main phrase, in this case, is “that can be linked to a specific individual”.
Protected health information is also a form of individual health information that is specifically created, obtained, or maintained under the HIPAA-covered entities or business associates of covered entities. PHI can be accessible in any form – oral, paper, or electronic – including medical charts, images, and other characteristics. PHI in HIPAA also includes family members’ characteristics maintained across the same set of patient data that can be utilized together or individually.
This assists in identifying the patient or the health plan member. The 18 identifiers of PHI created, disclosed, or used by HIPAA-covered entities in the care provision course of an individual or used under the payment of care conjunction, the data set existing is considered PHI under HIPAA compliance with strict controls over permissible usage and disclosures.
PHI differs from PII (Personally Identifiable Information). The latter is considered a legal definition – PII is generally used to identify an individual uniquely. This is mostly used when the condition or illness is rare.
Protected health information correlates to the past, present, and future of an individual’s mental and physical health. The PHI in HIPAA provides healthcare services to an individual, payment provisions, and more, including
- Data transmitted by electronic media.
- Data is maintained in electronic media.
- Data transmitted or maintained across any other form or medium.
What Information is considered PHI?
If a piece of health data is to be considered as PHI and regulated under or by the Health Insurance Portability and Accountability Act (HIPAA), then it needs to be two things:
- It has to be personally identifiable or recognizable to the patient.
- It has to be utilized or disclosed to a covered entity only, during health care.
To understand this in an in-depth manner, what is considered PHI under HIPAA compliance rules – it is essential to know the Administrative Simplification Regulations beginning with health information. In this section, health information can range from genetic, oral, or recorded information in any form or medium that is received or created by healthcare providers, public health authorities, employers, health plans, life insurers, schools or universities, or healthcare clearinghouses.
The integration of technology in healthcare has made the determining factors of PHI more complicated. But, the population sharing large documents of health information with businesses and companies are evolving to fit digital requirements to operate more efficiently. So the question to ask here is, what are the 18 types of PHI? That brings us to our next section on the 18 identifiers of PHI.
The 18 Identifiers of PHI
- Data of Geographic locators for subdivisions smaller than the state
- Dates (except year) related to the individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers (SSN)
- Medical record numbers
- Health Insurance beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial number
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal, and voice prints
- Any other unique identifying number, characteristic, or code
- Full-face photographic images and any comparable images
In general, PHI can show up in a wide variety of documents, forms, and communications, such as:
- The billing information provided by your doctor
- An email sent to your doctor’s chamber/office for medication or prescription that you require
- An appointment scheduling note with your doctor’s chamber/office
- An MRI scan report
- Blood test reports
- Phone records about your conversation with the doctor
Formats of PHI Records Covered under HIPAA Compliance
All kinds of PHI record formats are covered under HIPAA compliance. The question asked in this situation is, what is the most common example of PHI? To answer this question, these include but are not limited to written PHI on paper, oral PHI, ePHI, and digital and physical images identifying health information subjects. It is essential to remember that PHI records are only covered by HIPAA when the possessions of covered entities or business associates are theirs.
What is ePHI?
ePHI stands for electronic protected health information, which is PHI transferred, received, or simply saved in an electronic form. The types of ePHI include patient names, fingerprints, addresses, social security numbers, email addresses, and photographic images. Along with this information, past medical records are also kept private.
Cloud integration has changed a lot when HIPAA is involved in handling protected health information. Companies are relying on cloud provider services for various health solutions to close customers are coming to rely on cloud providers for various HIPAA compliance aspects. The onus of cloud customers for ensuring all necessary HIPAA requirements are followed under both PHI and ePHI.
What is not considered PHI?
A common misconception is that all health information is PHI under HIPAA compliance. But it is usually never the case. It depends on all the identifiers of PHI and needs to be included in the same sets of medical records. So what is not considered PHI under HIPAA? PHI usually ceases to remain PHI if all the identifiers are stripped that tie the information with the patients. Once these identifiers are eliminated, the health information becomes de-identified PHI and HIPAA does not apply to this kind of PHI.
Health information is also not considered PHI when it is maintained, created, transmitted, and maintained by an entity that is not subject to HIPAA rules.
For example, employment records of a covered entity that are not linked to medical records.
Similarly, health data that is not shared with a covered entity or is personally identifiable doesn’t count as PHI. For example, heart rate readings or blood sugar level readings without PII.
Now let’s move forward and understand the various common ways to protect your PHI.
Ways to Protect PHI
PHI in HIPAA, as healthcare organizations, you need to follow some simple procedures to prevent PHI from leaving your organization by a cyber breach or accident. While every business will have different variations of PHI, there are 10 basic practices you can follow to secure patient-accumulated data.
HIPAA establishes a rule of training your employees on both cybersecurity practices and HIPAA policies. There are only two situations when employee training is required – when they are new to your business and when there are changes or updates under the HIPAA guidelines.
Implementing Access Control Guidelines
Access control guidelines are crucial for healthcare organizations, and it includes restricting physical access to certain areas existing within the facility as well as limiting electronic PHI access. Only parties authorized should have patient record accessibility.
Managing Third-Party Vendors
Hiring vendors outside of the organization can help your business in managing patient PHI and they should follow the HIPAA and PHI requirements. The PHI indicators require HIPAA to enter a business associate agreement (BAA) with third-party vendors that can access your company’s PHI. This allows vendors to be liable for any security breaches, but the BAA isn’t enough to lock down the PHI. It is required for you to thoroughly mandate third-party vendors regarding cybersecurity protocols.
The PHI information list shows that HIPAA requires backing up all PHI-related information and is practiced as a cybersecurity protocol. This method can restore your system from potential hackers by backing up the information and data and avoiding any business disruptions that pose substantial risks to the safety of patients.
Protecting Verbal PHI
The disclosure of verbal PHI is also a potential HIPAA guideline violation, so it is necessary to create measures to protect patient data when shared aloud. Even if employees are conversing with one another about sensitive patient-related information, there should be a guideline that can eliminate others from hearing this. There should be guidelines like no sensitive discussions around public areas or with other patients, no disclosing PHI than what is required for patient treatment, conversing in enclosed private spaces in low voice, and phone calls discussing PHI in private rooms.
Software and Firmware Updates
Regardless of all the software or devices utilized by our business, it is required that updating and patching are a part of your system protocols. IT department in your company should constantly keep scheduling updates across all organizational devices, especially for patient monitoring devices, IoT devices, wearables, implantable medical devices, fax machines, etc.
Businesses integrating protected health information should not store unencrypted patient information. HIPAA enables you to encrypt PHI both at transit and rest. PHI encryption masks the true content of the data stolen and it renders it an uninterpretable language to any cybersecurity breaches.
A Simple Test for PHI
If the device or application stores, records, or transmits a user’s personally-identifiable health data to any covered entity, then you are dealing with PHI, and hence, you need to be HIPAA compliant.
In case you are about to manufacture wearable devices or applications that can easily collect health information but do not share the health-related information with a covered entity at any point in time, you do not need to be HIPAA compliant. For instance, the Nike Fuel Band (it’s a health band) does not track the data which is considered protected health information or PHI because you cannot transmit that essential data from the device to any covered entity.
We hope after reading this article, you will have a more clear picture of what protected health information (PHI) is and what it isn’t. Now it’s time for you to go back and review all types of information that you are collecting to assess whether you need to be HIPAA compliant or not. Currently, the scrutiny of HIPAA violations has increased a lot, and massive fines have been associated with breaches as well as the lack of safe harbor clauses for unintentional PHI use. Hence, it’s better to be safe than sorry when you are dealing with all kinds of sensitive health-related information of an individual that falls under PHI. You can collaborate with a leading digital healthcare technology development partner that helps healthcare startups and organizations in building HIPAA-compliant solutions.
Shailendra Sinhasane (Shail) is the co-founder and CEO of Mobisoft Infotech. He has been focused on cloud solutions, mobile strategy, cross-platform development, IoT innovations and advising healthcare startups in building scalable products.