Protected Health Information (PHI) is basically the personally identifiable health information that is protected and regulated by the Health Insurance Portability and Accountability Act, better known as HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) was filed or rather written 20 years ago when smartphones were a distant reality.
Therefore, everything related to this act was penned down for mostly an analog world of physical X-rays and even paper files. And in today’s era of wearables, genetic sequencing, health apps, and much more, getting a proper and precise definition of PHI can be quite difficult to understand, especially for the developers who are trying to parse or figure out whether they need to be HIPAA compliant or not.
Through this post, we hope to provide a clearer picture of what exactly is PHI or Protected Health Information and what is not considered PHI. And hopefully, you as a healthcare software developer will be able to use the below-mentioned information as a reference while you are determining if all the information that you are collecting for your digital health solution fall under PHI or not.
Covered Entities and Business Associates
Before we proceed further to talk about the definition of PHI, what information constitutes PHI and what doesn’t, let’s first understand two major definitions under HIPAA and those are – Business Associates and Covered Entities.
A covered entity is basically a person who provides treatment, payment, as well as the operations in the healthcare sector. According to the U.S. Department of Health & Human Services (HHS), healthcare providers, health plans, and healthcare clearinghouses fall under the covered entities. The healthcare providers usually include doctors, clinics, dentists, psychologists, nursing homes, pharmacies, chiropractors, and last but not the least, the hospitals.
Health plans include the health insurance companies, company health plans, HMOs, Medicare & Medicaid. In fact, schools and employers that handle the PHI in order to enroll their employees and students in any sort of health plan also fall under the definition of a Health Plan.
Here’s a complete list of entities that come under covered entities. Please take a look.
- Dental and doctors’ offices, clinics, psychologists
- Insurance companies, health plans, HMOs
- Pharmacies, nursing homes, home healthcare agencies or hospitals
- Healthcare clearinghouses
- Government programs that contribute towards healthcare
A business associate is nothing but a subcontractor or a vendor who has the access to protected health information (PHI). However, if defined in a more legalized way, a business associate is an entity that discloses or makes use of PHI on behalf of a covered entity. In case the legalized definition is complex, here’s a very simple and crisp definition- a business associate can be defined as a person who performs or assists in performing certain activities involving the use or disclosure of PHI, on behalf of the covered entity.
Business Associates can be providers of data transmission services, document or data storage services (it hardly matters if they can view the PHI they maintain), portals or other interfaces specially created on behalf of the covered entities that allow the patients to share their health-related data with the covered entity, as well as other electronic health information exchanges.
The Definition of Protected Health Information (PHI)?
PHI stands for Protected Health Information, which is any information that is related to the health status of an individual. This can include the provision of health care, medical record and/or payment for the treatment of a particular patient and can be linked to him or her. The term “information” can be interpreted in a very broad category and the main phrase, in this case, is “that can be linked to a specific individual”.
PHI differs from PII (Personally Identifiable Information). The latter is considered as a legal definition – PII is generally used to identify an individual uniquely. This is mostly used when the condition or illness is rare.
What is ePHI?
ePHI stands for electronic protected health information which is PHI transferred, received or simply saved in an electronic form. The types of ePHI include patient names, fingerprints, addresses, social security numbers, email addresses, and photographic images. Along with this information, past medical records are also kept private.
What Information is considered PHI?
If a piece of health data is to be considered as PHI and regulated under or by the Health Insurance Portability and Accountability Act (HIPAA), then it needs to be two things:
- It has to be personally identifiable or recognizable to the patient.
- It has to be utilized or disclosed to a covered entity only, during the course of health care.
- Geographic locators
- Fax numbers
- Phone numbers
- Email id
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial number
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Any other unique identifying number, characteristic, or code
- Full face photographic images and any comparable images
In general, PHI can show up in a wide variety of documents, forms, and communications such as:
- The billing information provided by your doctor
- An email sent to your doctor’s chamber/office for a medication or prescription that you require
- An appointment scheduling note with your doctor’s chamber/office
- An MRI scan report
- Blood test reports
- Phone records about your conversation with the doctor
What is not considered as PHI?
Please note that not all personally identifiable information is considered PHI. For example, employment records of a covered entity that are not linked to medical records.
Similarly, health data that is not shared with a covered entity or is personally identifiable doesn’t count as PHI. For example, heart rate readings or blood sugar level readings without PII.
A Simple Test for PHI
If the device or application stores, records or transmits a user’s personally-identifiable health data to any covered entity, then you are dealing with PHI and hence, you need to be HIPAA compliant.
In case you are about to manufacture wearable devices or applications that can easily collect health information but does not share the health-related information with a covered entity at any point of time, you do not need to be HIPAA compliant. For instance, the Nike Fuel Band (it’s a health band) does not really track the data which is considered as the protected health information or PHI because you cannot transmit that essential data from the device to any covered entity.
We hope after reading this article, you will have a more clear picture of what protected health information (PHI) is and what it isn’t. Now it’s time for you to go back and review all types of information that you are collecting to assess whether you actually need to be HIPAA compliant or not. Currently, the scrutiny on HIPAA violations has increased a lot, and massive fines have been associated with breaches as well as the lack of safe harbor clauses for unintentional PHI use. Hence, it’s better to be safe than sorry when you are dealing with all kinds of sensitive health-related information of an individual that falls under PHI.
Mobisoft Infotech is a digital healthcare technology development partner that helps healthcare startups and organizations in building HIPAA compliant apps and solutions.
Shailendra Sinhasane (Shail) is the co-founder and CEO of Mobisoft Infotech. He has been focused on cloud solutions, mobile strategy, cross-platform development, IoT innovations and advising healthcare startups in building scalable products.