The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers as follows:
Patient names, contacts and emergency contacts
Geographical elements (such as a street address, city, county, or zip code)
Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date
of death, or exact age of a patient older than 89)
Telephone numbers
Fax numbers
Email addresses
Social security numbers
Medical record numbers
Health insurance beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers
Device attributes or serial numbers
Digital identifiers, such as website URLs
IP addresses
Biometric elements, including finger, retinal, and voiceprints
Full face photographic images
Other identifying numbers or codes
18 HIPAA Identifiers and the HIPAA Privacy Rule
The HIPAA Privacy Rule established standards for the use and disclosure of PHI. The law requires organizations to
adopt the “minimum necessary rule” which states that covered entities must take reasonable steps to limit the use and
disclosure of PHI. As such CEs must access only the information necessary to accomplish their intended purpose.
The HIPAA Privacy Rule also lays out patient rights in regards to their PHI.
Notice of Privacy Practices (NPP): must be given to patients upon intake. It must be written in a clear manner that
patients can easily understand. An NPP describes patient rights in terms of the 18 HIPAA unique identifiers. An NPP
also explains what a covered entity (CE) may or may not do with PHI.
Request Access to Medical Records: patients have the right to request their medical records. Patients must fill out
an authorization form to do so.
Request an Amendment to Medical Records: the HIPAA Privacy Rule mandates that patients have the right to
request an amendment of PHI when they believe there has been an error on their record. It is up to the discretion of
the covered entity (CE) to determine if the record is accurate.
Request Special Privacy Protection for PHI: patients have the right to restrict the disclosure of PHI. However,
CEs are not required to agree to the request.
Parents Access to Minor’s Medical Records: in most cases a parent or legal guardian can access a minor’s medical
records. The HHS provides examples for situations in which parents cannot access a minor’s medical records.
The minor consents to care where parental consent is not required
A court decides that a minor must receive care
A parent agrees that the minor and covered entity have a confidential relationship
18 HIPAA Identifiers and the HIPAA Security Rule
The HIPAA Security Rule mandates that protected health information (PHI) is secured in the form of administrative,
physical, and technical safeguards. As part of the HIPAA Security Rule, organizations must have standards for the
confidentiality, integrity, and availability of PHI.
Confidentiality: PHI may not be disclosed without prior patient authorization
Integrity: PHI that is transmitted or maintained must only be accessed by those who need access to perform job
functions
Availability: organizations and patients must be able to easily access PHI
What is PHI in Healthcare?
doctor taking notes on patient in patient chart which is what PHI stands for - what is phi
PHI is individually identifiable health information protected by the Health Insurance Portability and Accountability
Act (HIPAA). PHI relates to the contents of a patient’s health record—charts, lab results, health history, and more—
as well as personal information identifiable to them.
Information is considered PHI if it’s created, used, or disclosed by a HIPAA-covered entity in the course of
providing care to an individual. This includes using the information for healthcare payment processing, invoicing,
and payment posting.
What does PHI stand for?
PHI stands for “protected health information.” Many people may think PHI stands for “personal health information,”
but it does not since HIPAA deems certain kinds of health information protected by law.
In order for health data to be considered PHI, and for it to be regulated by HIPAA, it needs to be:
Information that is personally identifiable
Used or disclosed to a HIPAA-covered entity during the course of care
Protected Health Information Examples
So, what is PHI by HIPAA regulations?
Examples of protected health information include:
Films
Charts
Paper records
Medications
EHR/EMRs
lab test results
An MRI scan
Blood test results
Health histories
Diagnoses
Treatment information
Insurance information
Allergies
The types of personal information covered include:
Unique identifiers
Demographic information
Billing information
Emails to your doctor’s office
Prescription refill information
Appointment scheduling
Phone records
Protected health information includes:
HIPAA-covered entities are only permitted to share a patient’s PHI for the purposes of treatment (or other healthcare
operations). To do so, the entity must first obtain authorization.
As a rule of thumb, any information relating to a person’s health becomes PHI. This often means that all email
records, lab results, and bills make up PHI. Note that a verbal conversation or recording that includes any identifying
information is also considered PHI.
The Difference Between Protected Health Information and Consumer Health Information
For some developers, determining whether an application collects PHI is critical to determining if HIPAA
compliance requirements need to be met. So, how do you know if you’re dealing with protected health information
or consumer health information?
Protected health information does not include
Some examples of data not considered PHI are:
Health information like steps in a pedometer, calories burned, etc.
Blood sugar readings (without usernames/PII)
Heart rate readings (without usernames/PII)
Biometric data collected on local devices only
Education records
Employment records
A HIPAA covered entity’s own employee records
The reason that health trackers and applications do not need to be HIPAA compliant is that they cannot, or do not,
transmit the data from the device to a HIPAA-covered entity.
However, if you wanted to share health information collected by a tracker with your doctor—many are able to do
this now—it would fall under HIPAA.
What is ePHI?
In our modern world, most of the patient information is stored, transmitted, and/or maintained in an electronic form
and is covered by HIPAA. Therefore, ePHI is simply protected health information stored electronically, either
locally or in the cloud. Any HIPAA information stored or transmitted via desktop, web, mobile, wearable, or other
technology such as email or text messages, is ePHI.
This includes individually identifiable health information created, maintained, or transmitted by mobile (mHealth)
and electronic (eHealth) devices. Therefore, when people talk about PHI today, they’re almost always referring to
ePHI records. People use these terms interchangeably.
Difference between PII, PHI and IIHI
There are a few differences in terms that are worth noting, however. For example, healthcare workers commonly
refer to PII and IHII. What do these terms mean?
doctor on the phone updating a patient's chart containing PHI
While PHI is an acronym of protected health information, PII is an acronym of “personally identifiable information.”
Personally identifiable information is also sometimes referred to as individually identifiable health information
(IIHI). This is any health information identifying the patient, whether or not protected by HIPAA.
Only when the two come together does it qualify as PHI. For example, when a health diagnosis—like high blood
pressure—also includes an identifier that links or can link the information back to a specific patient, it becomes
protected under HIPAA and is considered PHI/IIHI.
What Are Covered Entities Under HIPAA?
A HIPAA-covered entity is any provider of services related to the treatment, payment, and operations of the
healthcare industry. According to the U.S. Department of Health & Human Services (HHS), they include:
Healthcare Providers including doctor’s offices, dental offices, clinics, psychologists, nursing homes, pharmacies,
hospitals or home healthcare agencies
Healthcare Clearinghouses acting as the go-between for healthcare providers and insurance companies
Health Insurance Companies including HMOs, PPOs, Medicare, and Medicaid
Government programs that pay for healthcare
Healthcare plans, as well as employer plans and student healthcare plans
Healthcare Payment Providers
All covered entities using PHI as part of their patient care must be HIPAA compliant. Additionally, business
associates of covered entities also utilizing PHI must be HIPAA compliant.
Here are some examples of HIPAA-covered business associates that also need to comply with HIPAA
standards:
Data processing firms or software companies exposed to or using PHI
Medical equipment service companies handling equipment that holds PHI
Shredding and/or documentation storage companies
Consultants
Auditors
External auditors or accountants
Professional translation services
Answering services
Accreditation agencies
ePrescribing services
Medical transcription services
Attorneys
By comparison, these business associates are not covered:
The covered entity’s own employees/workforce
Contractors, associates, or utilities with limited exposure to records, such as a telephone company, plumber, etc.
Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.
Protected Health Information Misconceptions
There are some enduring misconceptions about HIPAA and PHI on both the patient and the administrative
side of healthcare services that can cause confusion across the systems. Be aware that:
HIPAA doesn’t protect all healthcare information
There is no way to opt out of HIPAA compliance requirements
There is no “safe harbor” when it comes to HIPAA and PHI
Not signing a Business Associate Agreement doesn’t absolve you of the HIPAA-compliance provisions
Not every improper disclosure of PHI qualifies as a breach
A patient’s written statement to release data must adhere to certain requirements
HIPAA does not require retaining records for six years
Health information can be subject to state laws and/or employer restrictions outside of HIPAA
There is some confusion around PHI and information recorded in health such as heart rate data and the data include
personal identifiers. However, HIPAA doesn’t always cover the data collected by these apps and trackers.
PHI Healthcare Apps
Sometimes classified as business associates of HIPAA entities, application developers that collect or allow users to
input health data ride a fine line between covered and not covered by HIPAA. So, app developers need to evaluate
the types of information they collect very carefully.
If your application collects any PHI, whether by design or not, it must be HIPAA compliant. You cannot simply
declare that the intent wasn’t to collect or store PHI on the application. A HIPAA-hosting environment is one way to
ensure you’re meeting the physical safeguards of the law, but compliance also requires some technical, physical, and
administrative criteria as well [1].
Is the information collected by apps and wearable technology considered PHI?
Personal health information collected or stored by the manufacturer of a product or the developer of an app does not
constitute PHI. But, if a healthcare organization collects this same data, then it would become PHI.
Wearable devices with biometric feedback and/or health-tracking software that collect health information, but do not
plan on sharing it, do not need to be HIPAA compliant. However, the trend in mobile health data collection leans
toward the sharing of health data with health care providers, making it PHI by definition.
PHI and HIPAA
Why all the trouble and fuss? You may use someone’s personal health information against them in several ways.
Blackmail, cybercrime, black market meds, and identify theft could all result from data breaches caused by HIPAA
noncompliance.
Any suspected violation comes under careful scrutiny. The consequences are hefty fines.
How HIPAA compliance can help protect PHI data breaches
medical records containing protected health information
The cost of a data breach, as well as PHI leaking outside the organization for malicious and illegal purposes, can
devastate an organization. There’s no room for error or noncompliance. The responsibility lies with each
organization to accurately train their teams.
Regular training courses for healthcare teams are essential. Look to learning and development programs, exams and
certifications, and HIPAA’s training and exam courses.
When are you allowed to share HIPAA-covered information?
HIPAA’s strict policies and PHI’s “protected” status make it seem as if at no point PHI may be used, shared, or
transmitted. But it’s quite the contrary. In fact, you must legally divulge PHI when:
A patient requests access to their own information
The Department of Health and Human Services requests information in the case of an investigation
Used by a covered entity for its own operational purposes and business activities
A patient is infected or exposed to infectious disease, as required by the CDC [2]
De-identifying data
Analyzing data can result in incredibly useful findings, especially in healthcare. Should an organization wish to use
PHI for statistics, for example, they first need to de-identified the PHI. Meaning, the data used must have all
identifiers removed so that it can in no way link an individual. After that point, it’s no longer PHI, so it’s safe and
permissible to use.
Obtaining copies of PHI
The HIPAA Privacy Rule permits patients may obtain copies of PHI held by a covered entity by requesting copies
stored by the covered entity for the provision of treatment or payment of care [3]. This rule includes information held
and used to make decisions about a patient’s enrollment, payment, claims adjudication, or health plan management.
For the purposes of our office the safety and security of all clients any and all information contained within
the client’s chart as well as additional information mentioned above is considered to be covered under HIPPA
or subbranches of HIPPA law.