What Counts as Protected Health Information (PHI)?

Protecting sensitive patient information has become more important than ever due to recent IT advancements and associated risks such as hacking and malware.

Massive penalties await healthcare companies like you if the protected health information (PHI) you handle is breached and leaked. In addition to seeking HIPAA compliance consulting, proactively knowing what counts as PHI is a crucial matter that deserves your utmost attention.

What Is Protected Health Information?

As defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), protected health information refers to any information that:

• Concerns the health status of an individual, such as their health records;
• Is created, received, or shared by a covered entity and its business associates;
• And can be traced back to and associated with an individual patient.

PHI is personally identifiable information, including demographic data, insurance details, and medical history, necessary to provide proper healthcare to an individual.

If stored, managed, and/or transmitted using electronic means, this information is referred to as electronic PHI (ePHI). This includes all PHI stored on external hard drives, removable storage media, personal computers, cloud systems, and more.

Why Is It Important to Secure Protected Health Information?

HIPAA-related data breaches come with hefty fines. For a single accidental violation, the fines can go from $100 to $50,000, depending on the severity of the case. If it’s due to willful neglect, you receive a fine of $50,000 directly for a single violation. The yearly maximum is $1.5 million.

Another implication of PHI is that it can be linked to a person. Should it be leaked and accessed by someone with malicious intent, there might be unimaginable consequences, including identity theft, stigma, discrimination, and embarrassment.

That’s why covered entities and their business associates are required to ensure that PHI is only known to those people directly related to a patient’s healthcare.

According to the law, covered entities include health plans, healthcare providers, and healthcare clearinghouses. They may work with business associates, which are service providers that may need access to PHI.

18 PHI Identifiers Under HIPAA

HIPAA highlighted eighteen (18) marks that covered entities must pay particular attention to. These are personally identifiable, and when used together with healthcare documents and data, they can be considered PHI.

• Name
• Geographical identifiers smaller than a state, such as street address, city, and ZIP code
• Dates directly associated with an individual (except years), such as birthdate, death date, and exact age
• Phone number(s)
• Fax number(s)
• Email address
• Social Security number
• Medical record number(s)
• Health plan beneficiary number
• Account number(s)
• Certificate or license number(s)
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web URL(s)
• IP addresses
• Biometric data, including retinal, finger, and voice prints
• Photographic images
• Other unique identifying numbers, characteristics, or codes that can be linked to an individual

In any form of communication concerning a person’s healthcare, all information shared would be considered “identified” if it contains even one of these 18 HIPAA identifiers.

Covered entities must be very careful when handling PHI, especially when it can appear on common documents and channels like the following:

• Emails
• Health-related examination results, such as MRI scans and blood tests
• Phone and fax history
• Appointment records
• Billing details

What Is Not Considered PHI?

Technically, any health information that lacks the 18 identifiers listed above is not considered PHI. In other words, it cannot be traced back to any individual who received healthcare.

Health information concerning people who have been deceased for 50 years or beyond is also not considered PHI anymore.

If you want to use existing PHI for specific purposes, such as research and marketing, you must first de-identify it. Under the HIPAA Privacy Rule, de-identification is the process by which you remove all 18 identifiers from the PHI.

Once stripped off, a qualified statistician will check the information to ensure that it is not linked to the individual.

Keeping PHI Secure

The HIPAA Security Rule mandates that all covered entities make an effort to keep protected health information secure at all times. There are three HIPAA requirements and security standards for compliance, including:

• Administrative safeguards, including the protocols, policies, and procedures for accessing PHI, medical HIPAA training
• Physical safeguards, such as control over data storage locations and other IT equipment
• Technical safeguards, including encryption techniques, secure transmission of PHI, and other cybersecurity measures

At Physician’s Resource, your reliable HIPAA consulting provider, we understand how challenging it is for any healthcare and insurance provider to keep up with these safeguards. With our experience in digital security and compliance, we’re here to help—both in securing PHI and in Oregon HIPAA audit protection.

Together with our experts, let’s ensure that you keep your PHI secure and minimize the risk of violating HIPAA. In turn, you can avoid hefty fines, whether legal, social, or financial. And more than that, you successfully protect the privacy and security of your clients.

Call us at 1-800-615-1729 today and talk with our veteran compliance specialists for HIPAA audit help.