Protected health information (PHI) is a cornerstone of patient privacy in healthcare. It covers any individually identifiable health data managed by healthcare providers, health plans, or business associates, and its protection is fundamental for both quality patient care and legal compliance. Here’s a look at what PHI includes, its significance, and examples of PHI in everyday healthcare settings.
What is protected health information (PHI)?
PHI refers to health information that can identify a person and is created, received, or maintained by healthcare entities. It includes:
- Health status: Details of any physical or mental conditions.
- Healthcare services: Information about treatments or care provided.
- Payment data: Any data linked to payments for healthcare services.
Because PHI spans a broad range of information, healthcare organizations must have strict safeguards to protect it from unauthorized access.
Read more: What is protected health information (PHI)?
Why PHI matters
Protecting PHI goes beyond compliance; it’s about patient trust, legal standards, and operational efficiency. Safeguarding PHI ensures patient privacy, supports HIPAA compliance, and helps improve healthcare delivery by enabling secure and efficient information handling.
HIPAA privacy rule and PHI
The HIPAA privacy rule sets guidelines for protecting PHI. It defines what counts as PHI and the obligations of healthcare providers to keep this information secure. Main provisions include:
- De-identification: Allows removal of certain identifiers to protect privacy.
- Designated record sets: Requires healthcare data to be organized and maintained for easy access and security.
- Access controls: Mandates secure access to PHI, so only authorized personnel can view it.
Read more: What is the HIPAA Privacy Rule?
What identifiers are linked to PHI?
The U.S. Department of Health and Human Services (HHS) clarifies in its guidance on deidentifying information that certain details, like names, residential addresses, or phone numbers, aren’t automatically classified as PHI. However, when these details are paired with information about a person’s health condition, healthcare services, or payment details—such as indicating treatment at a specific clinic—they become PHI.
To ensure compliance with HIPAA and safeguard patient privacy, the following 18 identifiers must be removed to fully de-identify information:
- Names
- Geographic data smaller than the state level
- Dates related to individuals (e.g., birth dates, admission dates)
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plates
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (e.g., fingerprints)
- Full-face photos and comparable images
- Any unique identifying number, characteristic, or code
Related: What are the 18 PHI identifiers?
Examples of PHI in healthcare
PHI is everywhere in healthcare settings. Here are some common examples:
- Medical records: Patient demographics, medical history, treatment plans, and test results like blood tests or MRIs.
- Billing information: Insurance details, payment records, and billing statements.
- Communication records: Notes from consultations, correspondence, and referrals to specialists.
Designated record sets and their significance
A designated record set includes all records that healthcare providers use to make patient care decisions. These sets are critical for both compliance and operational efficiency, as they include:
- Individual records: Specific items of health information.
- Comprehensive records: Entire medical histories or billing records.
- Grouped records: Multiple records for the same patient, each needing different access levels.
Consequences of PHI breaches
Breaches of PHI can bring serious consequences for healthcare organizations, affecting both their legal standing and reputation. HIPAA violations may lead to fines, legal actions, and other penalties, while a breach of patient data can erode trust, lead to negative publicity, and damage an organization’s reputation.
An incident in Memphis shows these risks: Roderick Harvey and five former employees of Methodist Hospital pled guilty to unlawfully disclosing patient information under HIPAA. From November 2017 to December 2020, they sold patient names and phone numbers from motor vehicle accident cases to third parties. Harvey faces up to five years in prison and a $250,000 fine, while the others face up to one year in prison and a $50,000 fine. Sentencing dates have been set following an investigation by the FBI and Tennessee Bureau of Investigation.
Best practices for protecting PHI
To ensure the protection of PHI and compliance with HIPAA regulations, covered entities should follow these best practices:
- Implement strict access controls: Limit access to PHI to authorized individuals who require it for their job responsibilities.
- Encrypt PHI: Use encryption to protect PHI when it is transmitted or stored electronically.
- Conduct regular risk assessments: Identify and address potential risks to the confidentiality, integrity, and availability of PHI.
- Train employees on HIPAA compliance: Provide regular training to employees to ensure they understand their responsibilities regarding PHI.
- Establish incident response procedures: Develop a plan to address and mitigate PHI breaches or security incidents.
- Regularly update policies and procedures: Stay up-to-date with changes in HIPAA regulations and adjust policies and procedures accordingly.
- Monitor and audit PHI access: Regularly review access logs and audit trails to identify any unauthorized access or suspicious activity.
- Conduct regular HIPAA compliance audits: Assess the organization's compliance with HIPAA regulations and address any identified issues.
- Maintain business associate agreements: Ensure that business associates who handle PHI on behalf of the covered entity sign appropriate agreements outlining their responsibilities and compliance with HIPAA regulations.
- Use secure communication channels: Implement secure email solutions like Paubox and other communication tools to ensure the confidentiality of PHI.
FAQs
What is the best way to share PHI?
The best way to share PHI is by sending secure emails to users to access PHI. Users are directed to safe environments by employing secure connections, which offer more data protection.
What is an example of PHI?
An address is an example of PHI as it includes specific details beyond the state, such as a street address, city, county, precinct, and typically zip code, along with their corresponding geocoded.
How do you communicate with PHI?
To securely communicate PHI to users, transmit it as a password-protected or encrypted attachment. Also, avoid including patient names, identifiers, or other specific details in the subject heading of the communication. Instead, incorporate a confidentiality banner such as "This is confidential medical communication."