Understanding Protected Health Information (PHI) and HIPAA Regulations

Understanding Protected Health Information (PHI)

What is PHI?

Protected Health Information, often referred to as PHI, represents any identifiable health-related data that is preserved or transmitted in any format or medium by a Covered Entity or its Business Associate. This information encompasses a wide range of data, including demographic details, that are linked to an individual’s mental or physical health, health care provision or payment, and can be used to identify that individual.

What is not PHI?

De-identified health information, which neither identifies an individual nor provides a reasonable basis to identify an individual, is not considered PHI. For instance, a dataset of vital signs alone is not PHI. However, if this dataset includes medical record numbers, it must be protected as it contains identifiable information. PHI can include any data that can identify an individual, such as private information, facial images, fingerprints, and voiceprints, if this information can be linked to medical records, biological samples, biometrics, datasets, and direct identifiers of research subjects in clinical trials.

HIPAA Privacy Rule outlines 18 “identifiers” as follows:

1. Names
2. All geographical subdivisions smaller than a state, including street addresses, cities, counties, precincts, zip codes, and their equivalent geocodes, with some exceptions for initial three digits of a zip code under certain conditions.
3. All elements of dates directly related to an individual, except the year. This includes birth date, admission date, discharge date, date of death, and ages over 89, with certain restrictions.
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers, such as finger and voice prints
17. Full face photos and any comparable images
18. Any other unique identifying number, characteristic, or code (excluding the unique code assigned by the investigator to code the data)

Moreover, there are additional norms and criteria in place to safeguard an individual’s privacy from re-identification. Any code used to replace the identifiers in datasets must not be derived from any personal information related to the individual or the master codes, nor can the derivation method be disclosed. For instance, a subject’s initials cannot serve as their data code, as the initials originate from their name.

For more detailed information on PHI and HIPAA regulations, you can refer to the official U.S. Department of Health & Human Services (HHS) website at https://www.hhs.gov/hipaa/.