Protected Health Information or PHI, is patient data regulated and protected under HIPAA security standards.
Protected Health Information (PHI) or Electronic Protected Health Information (ePHI) is data that a healthcare professional collects to identify an individual and determine appropriate care. PHI is regulated under HIPAA and is enforced by The US Department of Health and Human Services (HHS) Office of Civil Rights (OCR).
PHI is regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and revisions created by Health Information Technology for Economic and Clinical Health (HITECH). These regulations limit how organizations can share patient information, and make specific technical requirements for storing sensitive information.
Healthcare IT vendors, partners and business associates of healthcare providers must sign Business Associates Agreements (BAA) to clarifying how PHI is being safeguarded under HIPAA. Cloud providers such as Amazon Web Services (AWS) define responsibilities for both parties under a shared responsibility model and offered business associates agreement.
What Are Identifiers Of Protected Health Information?
Health information connected to personally identifiable information must be safeguarded and comply with HIPAA guidelines.
The HIPAA Privacy rule lays out a set of specific identifiers that are considered personally identifiable information.
There are 18 HIPAA Identifiers:
- Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Any vehicle or other device serial number
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image – Photographic images are not limited to images of the face.
- Any other characteristic that could uniquely identify the individual
Information or data that contains any of these identifiers, or parts of the identifier, such as initial is considered “identified” and is subject to HIPAA requirements. Information is only considered “de-identified” if all 18 HIPAA identifiers are removed, including procedure dates and images. In general patient identity must not be easy to derive from de-identified data.
Is My Data Protected Health Information?
If a device or application stores, records or transmits personally identifiable health data to a covered entity, it is PHI and must be handled in a HIPAA compliant manner.
If you are not planning on interacting with a covered entity, then HIPAA regulations do not apply. (Example: A step tracking app). If your organization plans to interact with EHR systems, healthcare providers, or other healthcare stakeholders, your organization should plan to manage data in a HIPAA complaint manner. Organizations providing business software such as a CRMs, communication solutions, or productivity software, that interacts with patient data must follow HIPAA requirements.
Below are a couple of examples, depicting what would be considered PHI:
PHI – Certain Patient & Provider Communications
PHI – Test and Lab Results From A Healthcare Provider
PHI – Wearable Devices
Here are a couple of examples, depicting data that is not considered PHI:
Not PHI – Fitbit Step Data
Not PHI – Personal Health Records
Not PHI – Meal Tracking