PHI is considered to be health, treatment, or payment information – or any associated identifying information – that is created, received, maintained, or transmitted by a HIPAA regulated entity.
PHI is an acronym for Protected Health Information – a term used in the healthcare and health insurance industries to describe individually identifiable health information subject to the privacy and security regulations of the Health Insurance Portability and Accountability Act (HIPAA).
The reason for it being important to know what is considered PHI under HIPAA is that the privacy and security regulations govern when PHI can be used and disclosed, who PHI can be used by and disclosed to, and what security measures have to be implemented to protect PHI.
If it is not known what is considered PHI under HIPAA, it is possible that individually identifiable health information could be used or disclosed impermissibly, disclosed to unauthorized individuals, or exposed to third parties who commit identity theft and healthcare fraud.
What is Considered PHI under HIPAA?
HIPAA (§160.103) defines PHI as “individually identifiable health information transmitted by electronic media, maintained by electronic media, or transmitted or maintained in any other form or medium”. (*) To better understand this definition, it is helpful to refer to how HIPAA defines individually identifiable health information:
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
(*) The unusual “electronic/any other form” definition is attributable to Title II of HIPAA originally intending to standardize electronic healthcare transactions and protect health information included in them. The Privacy Rule was later added to HIPAA when Congress failed to enact privacy legislation of its own. See Why was HIPAA Created? for more information on the origins of HIPAA.
What These Definitions Mean
To summarize the above definitions of what is considered PHI under HIPAA, PHI is any information relating to an individual’s health condition, treatment for the condition, or payment for the treatment and any further information maintained with the health/treatment/payment information that could be used to identify the individual.
Therefore, if a patient has an emotional support animal that people would recognize and associate with the patient, and information about the emotional support animal is maintained in the same designated record set as the patient’s health information, the information about the emotional support animal assumes the same protections as the patient’s health information.
However, if information about the emotional support animal is maintained separately from the patient’s health information (i.e., for transport purposes), it is not protected. The same applies to any of the “18 HIPAA Identifiers” sometimes confused as what is consider PHI under HIPAA if they are maintained in a separate database from a patient’s health information.
The Consequences of Too Much Security
While it is important to know what is considered PHI under HIPAA and to ensure PHI is protected from impermissible uses and disclosures, it is also important to develop policies that permit access to individually identifiable non-health information when it is maintained separately from a patient’s health information (i.e., for transport purposes).
If policies are developed that regard all information as PHI, this can obstruct the flow of information required for the smooth operation of a healthcare facility or result in scenarios in which database login credentials are shared with unauthorized workforce members so the unauthorized workforce members can get access to the information they need to do their jobs.
Organizations unsure about what is considered PHI under HIPAA, how it should be protected, or how non-health information can be isolated in compliance with HIPAA should seek professional compliance advice.