In a healthcare setting, you are expected to hear health info referred to as protected health information or PHI, however, what is considered PHI according to HIPAA?
What is Considered PHI According to HIPAA Laws?
According to HIPAA Laws, PHI is thought to be any recognizable health info that is stored, maintained, used, or communicated by a HIPAA-protected unit – A healthcare supplier, health insurer or health plan, or a health care clearinghouse – or a BA of a HIPAA-protected unit, in connection to the delivery of health care or payment for healthcare facilities.
According to HIPAA Laws, It’s not just current and past health info that is believed PHI, but also future info concerning medical disorders or mental and physical health linked to the delivery of care or fee for care. PHI is health info of any type, including electronic records, physical records, or spoken information.
For that reason, PHI contains medical bills, lab test results, health histories, and health records. Basically, all health info is believed PHI when it contains separate identifiers. According to HIPAA Laws, demographic info is also believed PHI, as are several usual identifiers like patient names, birth dates, insurance details, Driver’s license numbers and Social Security numbers when they are connected with health info.
The eighteen identifiers which make health info PHI are:
- Telephone numbers
- FAX numbers
- Account numbers
- Social Security numbers
- Health plan beneficiary numbers
- Any exclusive identifying number or code
- Biometric identifiers (i.e. fingerprints, retinal scan)
- Complete face photos as well as comparable images
- Internet protocol addresses
- Certificate/license numbers
- Email addresses
- Medical record numbers
- Web URLs
- Device identifiers as well as serial numbers
- Vehicle identifiers as well as serial numbers containing license plates
- Geographic data
- Dates, except year
When is Protected Health Information not Protected Health Information?
There is a usual misunderstanding that all health info is considered Protected Health Information according to HIPAA, however, there are a few exclusions.
First, it is determined by who notes the info. A good instance would be health trailers – either applications on cell phones or actual appliances worn on the body. These appliances can record health info like blood pressure or heart rate, which would be believed PHI according to HIPAA Laws if the info was noted by a health care supplier or was utilized by a health scheme.
Nevertheless, HIPAA only pertains to HIPAA-protected units and their BAs, therefore if the app developer or device manufacturer has not been hired by a HIPAA-protected unit and is a BA, the info recorded wouldn’t be thought PHI as per HIPAA.
The same pertains to employment or education files. A hospice might keep data on its workers, which can contain some health info – for instance, blood type or allergies– but HIPAA doesn’t apply to service files and neither education files.
Protected Health Information also ceases to be Protected Health Information when it’s deprived of all identifiers which can link the information to a person. If PHI is deprived of these identifiers it is believed de-identified PHI, and the limitations of the HIPAA Secrecy Law on disclosures and uses no more apply.