What counts as PHI under HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain federal protections for an individual’s health information. However, it also permits some personal health information to be disclosed for the purpose of patient care and interprofessional communication.

You might have heard of HIPAA, but do you know which health details are considered protected health information (PHI)?

Read on to find out what counts as PHI under the HIPAA Privacy Rule.

Protected health information, or PHI, refers to individually identifiable health details. Examples include medical histories, demographic information, test and lab results, insurance details, mental health conditions, and other data collected for the purpose of medical care.

What is ePHI?

Electronically protected health information (ePHI) is PHI that’s saved, received, produced, or transferred electronically. In the US, ePHI management is covered under HIPAA.

What’s the difference between PHI, PII, and IIHI?

The distinctions between PHI, personally identifiable information (PII), and individually identifiable health information (IIHI) are minor—but it’s important to understand them.

IIHI is defined as the subset of health details received or created by a medical provider, employer, health plan, or healthcare clearinghouse. It can relate to an individual’s past, present, or future condition; the treatment they receive; or the payment. This type of health information can be used to identify a person.

This information will become PHI if it’s maintained or transmitted in any form or medium. This might imply that all IIHI is protected—but this rule has some exceptions. For instance, IIHI that’s maintained or transmitted by an employer is not considered PHI.

PII, on the other hand, includes information that can be used to distinguish a person’s identity. It might consist of passport numbers, Social Security Numbers (SSNs), email addresses, photos, biometric data, and other information that can be linked to that individual.

Some of this data will not be considered PHI. But, if data points are paired with a treatment plan, health condition, or any other type of health information, it would become PHI.

PHI and HIPAA

For health information to be considered PHI and be regulated by HIPAA, it needs to be

1. Personally identifiable to a patient

2. Used or disclosed to a covered entity during the course of care

Some of the more common examples of PHI include the following:

• An MRI scan

• Test results

• Billing information from a healthcare professional

• Emails to a doctor regarding your medication or prescription needs

• Phone records

What isn’t considered PHI?

PHI relates to anything that can be used to identify a person, including facial images, private information, and fingerprints.

Consequently, health information that doesn’t identify or provide a reasonable base to identify a person isn’t considered PHI.

Here are some examples of health data that isn’t considered PHI:

• The number of calories burned or the steps in a pedometer

• A blood sugar reading without identifiable user information

• A heart rate reading without any identifiable user information

PHI refers to anything that can be used to identify a person, such as private information, voice recordings, and even fingerprints.

In clinical trials, these details can be associated with biological specimens, medical records, datasets, biometrics, and other direct identifiers of research subjects. This information is also used in research studies where existing medical records are reviewed to gain information, such as retrospective chart reviews.

What are covered entities under HIPAA?

HIPAA defines covered entities as health plans, healthcare providers, and healthcare clearinghouses that electronically transmit any health details in connection with transactions for which the US Department of Health and Human Services (HHS) has adopted standards.

If health information is leaked (perhaps due to a breach), HIPAA will issue a penalty depending on the severity of the leak or the covered entity’s response to the leak. These penalties can range from $100 to $50,000 per incident and go as high as $1.5 million.

First-tier penalties are generally awarded when a covered entity did not or could not have known about a breach that leaked an individual’s details.

Second-tier penalties range between $1,000 and $50,000 and up to $1.5 million. These are issued when the covered entity either knew or should have known about the breach.

A third-tier penalty can range from $10,000 to $50,000 and up to $1.5 million. These penalties are given when a covered entity acts with willful neglect but corrects its breach within 30 days.

The fourth tier involves fines of at least $50,000. These are issued for willful neglect without any appropriate and timely corrections.

People can protect their health information in several ways. Here are some of the more common measures:

• Use passwords on computers and cell phones so that you are the only person who can access your personal details.

• Use strong passwords, update them often, and don’t share them with anyone.

• Don’t post anything regarding your health or personal information on the internet or social media.

• Consider installing encryption software on your device.