The term Protected Health Information (PHI) was coined with the introduction of the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The role of HIPAA is to make sure your personal health information is kept private. Since most of HIPAA’s rules and regulations revolve around protecting PHI, it’s important for anyone working in healthcare to know what it is and how to handle it in order to stay in compliance with HIPAA.
So, what is PHI?
Protected health information is any identifiable information that appears in medical records as well as conversations between healthcare staff (such as doctors and nurses) regarding a patient’s treatment. It also includes billing information and any information that could be used to identify an individual in a company’s health insurance records.
If you work in healthcare, or aspire to, your job might require you to know and use someone’s protected health information so they can pay for medical expenses or receive treatment. Understanding what PHI includes, and why securing this data is so important, will help ensure that you take the necessary steps to keep it secure.
To be considered PHI, and therefore part of HIPPA compliance, information must be both personally identifiable or recognizable to the patient and used or disclosed to a covered entity during the course of healthcare.
The identifiers that make health information PHI are:
- Patient Name (full or last name and initial)
- Date of birth
- Address (anything more specific than state, including street address, city, county, precinct, and in most cases zip code, and their equivalent geocodes)
- Social security number
- Phone/fax number
- Email address
- MAC address of the network card on a device
- IP address of a device
- Drivers license number
- License plate numbers
- Biometric data (fingerprints, retina scans, etc)
- Medical record numbers
- Medical device serial numbers
- Health plan account numbers
- Dates of visits, admission, discharge, and treatment
- Diagnostic codes
It’s important to know that PHI also includes information that’s not current. For example, an old phone number, address, or driver's license number is still considered protected health information.
“Covered Entities” Under HIPAA
A covered entity is anyone who provides treatment, payment, or operations in healthcare, as well as business associates who have access to patient information and provides support in treatment, payment, and operations. Subcontractors and any other related businesses associates must also be in HIPAA compliance.
This can include:
- Doctors’ offices, dental offices, and clinics
- Nursing homes
- Hospitals or home healthcare agency
- Health plans, insurance companies, HMOs
- Government programs that pay for healthcare
- Healthcare clearinghouses
As you can see, covered entities span a range of industries and jobs. It’s extremely important for anyone who comes into contact with PHI to be aware of HIPAA’s Privacy and Security Rule. This includes everyone from HR representatives, to IT staff, to health plan administrators, to accounts payable, as well as company owners/executives, all must use caution when handling PHI. Whether you work in one of these roles, or aspire to, WGU offers a variety of online degree programs and professional development opportunities that can help strengthen your knowledge of PHI as it relates to human resources, information technology, or health information management.
Not all identifiable information is considered PHI. PHI only relates to information on patients or health plan members. It doesn’t include information created or maintained for employment records, such as an employee’s health records. Health data that’s not shared with a covered entity or can’t be used to identify someone doesn’t qualify as PHI either. For instance, an Apple watch that tracks your heart rate or daily steps can’t be considered PHI because the data collected isn’t being shared with a covered entity.
Below are additional examples of non-PHI:
- Blood sugar readings
- Temperature scans
- Readings from a heart rate monitor
- Data from a health tracker
When it comes to determining what’s PHI and what’s not, a good rule of thumb is this: if a device or application stores, records, or transmits personally-identifiable health data to a covered entity then it should be considered PHI.
PHI exists in multiple forms: electronic (ePHI), verbal, and written. Here are some examples of what that could look like:
- Billing information from your doctor
- Blood test results
- An email to a doctor’s office about your medication or prescription
- Appointment scheduling notes from your healthcare provider
- Reminder texts or voicemails about you doctor appointment
- Any record containing both your name and name of your medical provider
- Any document that includes a Medicaid or Medicare number
The HIPAA Privacy Rule allows PHI to be shared without patient authorization under certain circumstances. Those exceptions for disclosure include:
- When preventing a serious and imminent threat to the health and safety of a patient or the public based on the health care provider’s professional judgment.
- When coordinating or managing treatment of a patient between providers.
- When ensuring the public’s health and safety for the purpose of preventing or controlling disease, injury or disability.
- When notifying family, friends, and others involved in care.
- When notifying the media and public (if the patient has not objected to release of PHI).
Under the HIPAA Privacy and Security Rules, healthcare organizations are required to secure patient information that’s stored or transferred digitally. These requirements are designed to protect our PHI from things like data breaches or hackers. Organizations are also legally required to maintain their HIPAA compliance by monitoring changes in the law and upgrading outdated technologies.
When it comes to keeping patient data secure, HIPAA’s Privacy and Security Rules require healthcare organizations to exercise best practices in three areas: administrative, physical security, and technical security.
These requirements cover training and procedures for employees, regardless of whether the employee has access to PHI or not. Some of the legal requirements under this standard include:
- Annual HIPAA training and education on the organization’s specific security procedures
- Sanctions against any employee who violates security procedures
- A data breach response plan
- Annual data security assessment
Physical security requirements
The physical security requirements outlined by HIPAA are designed to prevent physical theft and loss of devices that contain patient information. Some examples of this include:
- Limiting access to buildings that contain information systems like computers and servers
- Securing workstations that contain PHI
- Putting policies in place for how devices containing PHI can be removed from a facility
Technical security requirements
Under this rule, technical safeguards must be put into place to protect networks and devices from data breaches. Some technical security requirements include:
- Policies and procedures that allow only authorized individuals to access PHI
- Hardware or software that records and monitors access to systems that contain PHI
- Procedures to maintain that PHI is not altered, destroyed, or tampered with
- Security measures that protect against unauthorized access to PHI that’s being transmitted over an electronic network
These can often be the most challenging regulations for organizations to understand and implement. Organizations can maintain their legal obligations to HIPAA by having the right professionals in place to ensure healthcare data is secure and accessible.
Due to the growing need to protect PHI, jobs in cybersecurity, health information management, and information technology are in high demand. If you’re looking to start or further your career in one of these industries, an online degree from WGU is a great place to start.