Protected Health Information (PHI)
Protected health information (PHI) is individually identifiable health information. PHI is demographic data that relates to individual’s physical or mental health, provision of health care, payment for the provision of health care, and common identifiers such as name, address, phone numbers, birth date, and Social Security Number. All protected health information must comply with Health Insurance Portability and Accountability Act (HIPAA) standards.There is also electronic protected health information (ePHI). The ePHI is PHI that is sent or transmitted electronically.
PHI is defined by UCSF as "Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment": .
PHI and ePHI is found in many locations in paper medical records and the electronic medical record. Data can be found in medical records, billing records, insurance/benefit enrollment and payment, claims payment, and case management records.
Security and privacy go hand in hand. Security is about controlling access to electronic PHI, while privacy is about controlling how electronic, oral, and written PHI is used and disclosed. Covered entities need to make it a top priority to establish and implement policies and procedures to protect patient information (1).
Covered entities covered under the Privacy Rule include (4):
- Health Plans
- Health Care Providers
- Health Care Clearinghouses
Examples of PHI Identifiers
Examples Include (5)(6):
- Addresses: All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- Dates: All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Phone numbers
- Fax numbers
- E-mail address
- Social Security Numbers
- Medical records numbers
- Account numbers
- Health plan beneficiary number
- Certification/license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Names of relatives
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
The Privacy Rule requires covered entities to perform administrative tasks to protect privacy of health information. Scalable confidentiality and security procedures, designated security officer, sanctions for violations, and signed statement by all employees regarding confidentiality of data (1).
Organizations compliance guidelines, like law and industry codes reflect and are intended to serve patients by safeguarding medical information, enabling us to advance patient care while protecting patient privacy.
Fundamental elements to an effective compliance program:
- Written policies and procedures for compliance
- A designated compliance officer and committee
- Effective training and education for employees
- Effective lines of communication
- Internal monitoring and auditing procedures
- Enforcement of standards through disciplinary guidelines
- Prompt responses to detected problems and implementation of corrective action (2)
Technical safegyards include:
- unique IDs
- encrypted password storage system
- disallowing weak passwords
- automatic time logoff
- system enforced password changes
- virus checking
- disallow sharing of passwords
Protecting Electronic Data
Confidential information stored on a portable electronic device such as a laptop, USB drive, CD, DVD or PDA should be encrypted to ensure data cannot be retrieved by an unauthorized person if lost or stolen.
Protecting Paper Medical Records
Paper medical records containing PHI should be kept in a locked and secure location. Only authorized or designated people should have access to any paper records containing PHI.
All covered entities are required to properly dispose of PHI. A reliable way for most organizations is to hire a shredding company that will destroy all PHI off site in a manner that is consistent with HIPAA Privacy and Security rules and regulations. Placing protected information in an unsecured garbage can (including blue recycle cans) is not an acceptable method of disposal for documents that contain private information. Such information should be secured until shredded or properly destroyed.
Privacy and Security violation of PHI
If PHI is not protected properly by all covered entities there are severe penalties, fines and corrective action that may take place. Anyone can file a compliant if they feel that their privacy has been violated. More information is found at 
Healthcare providers in all settings implement compliance programs to protect patient privacy and to ensure ethical business practices. This is necessary due to the increased severity of penalties established by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Balanced Budget Act of 1997 (public law 105-33). By ensuring ethical business practices through compliance programs, healthcare providers reduce their risk of criminal and civil litigation in regards to privacy and security.(3)
There is also a limited data set.
- “Not all my friends need to know”: a qualitative study of teenage patients, privacy, and social media
- HIPAA - PHI: LIST OF 18 IDENTIFIERS AND DEFINITION OF PHI, University of California, San Fransisco. http://www.research.ucsf.edu/chr/HIPAA/chrHIPAAphi.asp#Definition
- Hartley, C. & Jones, E. (2004) HIPAA Plain and Simple, a compliance guide for healthcare professionals. AMA Press, Chicago, IL
- Healthcare compliance-an introductory guide for employees. Johnson and Johnson. Retrieved from: http://www.shareholder.com/Shared/DynamicDoc/jnj/1293/6210%20Overview%20Guide_WEB_single_pg.pdf
- AHIMA (2011). Healthcare compliance. Retrieved from: http://www.ahima.org/resources/compliance.aspx
Submitted by Sherry Dexheimer
Submitted by Molly Kneen