Understanding What is and Is Not PHI
Lack of knowledge of what qualifies as Protected Health Information (PHI) under HIPAA is one of the main causes of HIPAA-related complaints to HHS’ Office for Civil Rights.
This is not surprising because depending on how it is kept up, the same information can occasionally be both protected and unprotected.
The HHS Office for Civil Rights regularly maintains a webpage called Enforcement Highlights where it displays the compliance issues that are most frequently brought up in complaints in order of frequency.
Impermissible uses and disclosures are at the top of the list unsurprising given that a single data breach can have an impact on thousands of people. The following four items, however, suggest a lack of knowledge regarding what HIPAA considers to be Protected Health Information:
Improper PHI uses and disclosures.
Lack of protections for PHI that is not electronic.
Access to PHI is not given to patients.
Absence of administrative PHI safeguards.
Violations of the bare minimum required.
WHAT IS CONSIDERED PHI?
Health insurance for the unemployed was the initial focus of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Within the last ten years, it has advanced further, enabling patients to view their own data. The coordination of the storage and distribution of this information is also strictly governed by HIPAA.
The Act has evolved as a result of technological developments like the smartphone and the availability of more personal information. The updated HIPAA regulations preserve reasonable rules along with PHI security.
Specific PHI Identifiers are listed below:-
- Names
- Identifying geographic information including addresses or ZIP codes
- Dates (except for the year) that relate to birth, death, admission, or discharge
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate numbers
- Vehicle identifiers such as license plate numbers
- Device identifiers and serial numbers
- Web addresses (URLs)
- IP addresses
- Biometric data such as fingerprints or retina scans
- Full face images
- Any other information that could potentially identify an individual
What Does Not Qualify as PHI?
Not all health data is considered to be protected.
Although the list of identifiers that make up PHI is extensive, not all patient information falls under this category.
It’s important to keep in mind that whether or not health information is considered PHI primarily depends on who gets it.
Covered Entities (CE) and their Business Associates are subject to HIPAA laws (BA). If they come into possession of personal health information, it becomes PHI. When managed by a company that is neither a CE nor a BA, the same information is not regarded as PHI.