What Does PHI Stand For?
PHI, or protected health information, is any data in a medical record that can be used to identify a person and that was generated, utilised, or disclosed while a patient was receiving treatment or receiving a diagnosis.
PHI in medical records, including discussions about treatment between doctors and nurses, is, in other words, information that can be used to identify a specific person.
Billing information and other patient-identifiable data stored in a health insurance company’s computer system are also considered to be part of PHI.
The HIPAA (Health Insurance Portability and Accountability Act) defines protected health information as the category of patient information that is covered by the statute.
Applications used in the eHealth space that gather, store, or transmit PHI must adhere to HIPAA compliance requirements.
What Does PHI Stand For?
Protected health information is known as PHI. The Health Insurance Portability and Accountability Act (HIPAA) and related laws like the Health Information Technology for Economic and Clinical Health Act are frequently used to allude to this concept (HITECH).
PHI is generally defined as any information that is generated, received, kept, or communicated by HIPAA-covered entities and their business associates and relates to a patient, the patient’s healthcare, or the payment for that healthcare.
Business associates of HIPAA-covered entities are third-party service providers who have access to Protected Health Information in order to perform a service for or on behalf of the covered entity.
HIPAA-covered entities are primarily healthcare providers, health plans, and healthcare clearinghouses.
According to the HIPAA Privacy Rule, these organisations are required to put protections in place to prevent the unlawful disclosure, modification, or destruction of protected health information.
PHI is any individually identifiable health information that, taken separately or in combination, has the potential to identify a specific person, their past, present, or future medical care, or the payment method, according to the Office for Civil Rights of the Department of Health & Human Services.
PHI does not, however, include health data kept by a covered business while acting as an employer or data included in educational records.
The word “any” in the definition of what PHI is has caused some ambiguity over what information should be secured, which occasionally results in overly cautious protections that hinder information flow—something the Privacy Rule is keen to avoid.
The eighteen unique identifiers that must be eliminated from a chosen data set before the data is no longer considered protected are therefore frequently used by compliance specialists. According to this view, the following eighteen different identifiers are regarded as PHI:
- Names
- Geographic data smaller than a state
- All elements of dates (except years)
- Telephone numbers
- FAX numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol addresses
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Full face photos and comparable images
- Any unique identifying number, characteristic or code
When PHI is stripped of all eighteen unique identifiers for marketing or research reasons, it no longer qualifies as PHI.
The 1981 Common Rule, an Act of Congress that establishes the minimum ethical standard to which all government-funded research in the US is held, nevertheless still deems the data to be “protected.”
Regardless of funding, almost all academic institutions in the United States hold their researchers to this ethical norm.