HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Identifying PHI

Written by Tshedimoso Makhene | Oct 1, 2024 2:00:30 PM

Protected health information (PHI) refers to any information about health status, healthcare provision, or payment for healthcare that can be linked to a specific individual. PHI must be handled carefully and follow specific guidelines outlined by HIPAA. 

 

What is protected health information (PHI)?

PHI refers to individually identifiable health information created, received, or maintained by healthcare providers, health plans, healthcare clearinghouses, or business associates acting on behalf of covered entities. Information may include an individual’s: 

  • Past, present, or future physical or mental health or condition,
  • Healthcare provided to the individual, or
  • Payment for the healthcare provided to the individual.

To qualify as PHI, the information must also include one or more of the 18 identifiers defined by HIPAA, which makes the data linkable to a specific individual. The 18 identifiers ensure that the health information is connected to the identity of the patient, making it necessary to protect.

See also: FAQs: Protected health information (PHI)

 

The 18 HIPAA identifiers of PHI

The HIPAA Privacy Rule identifies 18 types of data that, when linked with health information, are classified as PHI. These identifiers are the foundation of what distinguishes general health data from protected health data under HIPAA.

Here’s a breakdown of the 18 identifiers that convert health information into PHI:

  • Names: This includes full names, last names and initials, or first names alone that are unique enough to identify an individual.
  • Geographic information: Anything smaller than a state, such as street addresses, cities, counties, or zip codes, can serve as an identifier. ZIP codes containing fewer than 20,000 people also qualify as PHI.
  • Dates: Any dates that relate to the individual’s health care or personal life, such as birth, admission, discharge, or death dates, are considered PHI. Exact ages over 89 are also included. 
  • Telephone numbers: Any phone numbers, including mobile, home, or office lines, are considered identifiers.
  • Fax numbers: This includes any fax number associated with the individual’s health care or payment information.
  • Email addresses: Personal and professional email addresses that are used for correspondence about healthcare or payment.
  • Social Security Numbers (SSN): This includes full or partial SSNs.
  • Medical record numbers: Unique codes assigned to patients for managing their healthcare records.
  • Health plan beneficiary numbers: Any number assigned by an insurer to the individual.
  • Account numbers: This could be any form of financial account, patient account, or payment account number.
  • Certificate or license numbers: Identifiers like professional licenses, medical certificates, or any other license or certification number.
  • Vehicle identifiers: License plate numbers or VINs (Vehicle Identification Numbers) associated with the individual.
  • Device identifiers: Serial numbers or other identifiable information tied to medical devices associated with the patient.
  • Web URLs: Any web addresses or URLs tied to a person’s health information.
  • IP addresses: An individual’s Internet Protocol (IP) address can qualify as PHI if linked to their health information.
  • Biometric identifiers: This includes fingerprints, voice prints, or facial recognition data that can identify an individual.
  • Full-face photographs and comparable images: Any image that can reveal the full identity of a person, such as a facial photograph, constitutes PHI.
  • Any other unique identifying number or code: This catch-all category includes any other unique code or number that could identify the individual.

Go deeper: What are the 18 PHI identifiers?

 

When health information becomes PHI

According to the National Institute of Health, “When health information is individually identifiable and is held by a covered entity, it is likely to be PHI.” However, not all health information is PHI. For health information to be classified as PHI, two conditions must be met:

  • The information must relate to an individual’s health, healthcare, or payment for healthcare.
  • It must include one or more of the 18 HIPAA identifiers.

For example, a random lab result without any identifiable data is not PHI. However, a lab result that includes the patient’s name, medical record number, or any other identifier becomes PHI and must be protected under HIPAA.

Data may no longer constitute PHI  if it is de-identified. This also means that data can stop being PHI if it is de-identified, meaning all 18 identifiers are removed and the data cannot be re-linked to the individual.

Read also: How to de-identify protected health information for privacy

 

Common examples of PHI

To better understand how PHI manifests in day-to-day operations, consider the following examples:

  • Appointment reminders: Sending a reminder to a patient that includes their name, date of birth, or contact details constitutes PHI.
  • Billing information: If a healthcare provider shares information about services rendered to a patient, including an account number or insurance details, this is PHI.
  • Employee health records: If an employer has access to an employee’s health information as part of a workplace wellness program, this can be PHI if it includes any of the 18 HIPAA identifiers.

 

Best practices for safely handling PHI 

Identifying PHI is just the first step. Once you recognize PHI, the next step is ensuring it is handled safely and complies with HIPAA regulations. Here are some best practices:

  • Use secure communication channels: Always ensure PHI is transmitted through HIPAA compliant channels. This includes encrypted emails, secure messaging systems, and password-protected files.
  • Limit access to PHI: Ensure that only authorized personnel have access to PHI. Implement role-based access controls and regularly audit who can access sensitive information.
  • Educate employees: Regular HIPAA training sessions ensure that employees understand how to identify and properly handle PHI. Train staff on identifying PHI across all forms of communication, verbal, written, or electronic.
  • Use de-identified data when possible: De-identification allows for the sharing of health information without the risk of exposing sensitive data. If there’s no need for personal identifiers, ensure they are removed.
  • Secure physical records: For paper records or other physical forms of PHI, ensure that these are stored in secure, locked locations and are only accessible to authorized individuals.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

Does HIPAA apply to all health-related information?

HIPAA applies specifically to PHI as defined by its connection to the 18 identifiers. General health-related information that is not tied to a specific individual or that has been de-identified is not covered by HIPAA.

 

What role do business associates play in PHI protection?

Business associates are third parties that perform services for healthcare organizations involving the use or disclosure of PHI. They are required to sign business associate agreements (BAAs) with healthcare providers, ensuring they are bound by HIPAA rules and responsible for safeguarding PHI in their custody.