Is a phone number PHI?

A phone number is considered protected health information (PHI) when it's linked with medical data, as it can identify an individual and reveal their health details.

When is a phone number PHI?

According to the NIH, “The Privacy Rule defines PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse.”

A phone number becomes PHI when it is collected, stored, or used by a healthcare provider, health plan, healthcare clearinghouse, or a business associate of these entities, and is linked or can be linked to an individual's health information. For instance, a phone number in a hospital's patient records, where it is associated with medical history, treatment information, or health insurance details, is PHI because it can be used to identify an individual in the context of their health information. 

In contrast, the same phone number stored in a non-healthcare related database, such as a customer service log for a retail store or a contact list in a personal phone, is not PHI, as it is not linked to health information or used in a healthcare setting.

How do HIPAA compliance requirements change when a phone number is associated with more specific health information?

Healthcare providers must be cautious with phone numbers linked to identifiable health info. PHI phone numbers in healthcare settings require rigorous security protocols to protect patient privacy and data. Non-PHI phone numbers don't need HIPAA compliant safeguards. They can be treated as regular contact info.

See also: What are the 18 PHI identifiers?

Best practices to safeguard PHI phone numbers

If PHI, like a phone number, which can be a key identifier, is mishandled or exposed, it could lead to privacy breaches, potentially resulting in unwanted contact, identity theft, or even discrimination. Best practices include:

1. Strict access controls: Restrict PHI access to authorized personnel only. Use role-based access controls to limit viewing and handling to relevant staff.
2. Secure communication channels: Use secure, HIPAA compliant communication methods such as HIPAA compliant email when sharing PHI. Ensure that emails, texts, or other electronic communication containing phone numbers are encrypted and secure.
3. Privacy policies and procedures: Develop and implement clear policies and procedures for handling PHI, including phone numbers. Ensure these policies are regularly updated and in line with current HIPAA regulations.
4. Physical security measures: Implement physical security measures like locked file cabinets for paper records and secure, password-protected areas for computer access to prevent unauthorized access to PHI.
5. Data minimization: Collect and retain only the phone numbers and other PHI necessary for healthcare purposes. Avoid unnecessary collection or storage of data.
6. Incident response plan: Have an incident response plan for potential PHI breaches. This plan should include steps to mitigate harm, notification procedures, and strategies to prevent future incidents.
7. Patient consent and privacy notices: Obtain proper consent before using or disclosing their phone numbers for purposes other than treatment, payment, or healthcare operations, and provide clear privacy notices outlining how their information is used and protected.

See also: How to de-identify protected health information for privacy

FAQs

Is an address PHI? 

An address is considered PHI if it's linked to medical information, as it can identify an individual and reveal something about their health.

Why is TLS 1.2 or higher recommended for email encryption?

TLS 1.2 or higher is recommended for email encryption because it provides strong security measures that protect sensitive data from being intercepted during transmission.

What is a notice of privacy practices?

A notice of privacy practices is a document that healthcare providers and organizations must provide, explaining how they use, share, and protect your personal health information under HIPAA rules.