PHI stands for Protected Health Information, which refers to any information in a medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service such as diagnosis or treatment. The question what does PHI stand for is usually answered by a reference to the Health Insurance Portability and Accountability Act (HIPAA). However, the acronym PHI – which stands for Protected Health Information – does not appear in HIPAA in neither its short form nor long form.
In fact – in the context of HIPAA – the first references to PHI were not made until some years later, when the proposed Privacy Rule was published. The proposed Privacy Rule defined “Protected Health Information” as individually identifiable health information transmitted or maintained (by Covered Entities and Business Associates) in any form or medium.
Covered Entities and Business Associates subject to the HIPAA regulations must implement reasonable and appropriate measures to safeguard the privacy of PHI and ensure it is not disclosed without authorization (from an individual) other than for disclosures permitted by the HIPAA Privacy Rule. This also applies to the subset of electronic PHI (ePHI) covered by the HIPAA Security Rule.
What Health Information is Protected by the HIPAA Privacy Rule
The Department for Health and Human Services (HHS – the agency that enforces HIPAA via the Office for Civil Rights) does not elaborate on what specific individually identifiable health information is protected by the Privacy Rule. Instead, it relies on Covered Entities and Business Associates to assess what information should be protected if it relates to:
- An individual´s past, present, or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of healthcare to the individual.
HHS does state that individually identifiable health information should be protected “when there is a reasonable basis it can be used to identify the individual”; but, beyond suggesting identifiers such as name, address, birth date, and Social Security number – and noting that this information should be protected in electronic, paper, and oral formats – HHS doesn´t offer specific guidance.
Consequently, compliance experts have suggested that the eighteen identifiers listed in the safe harbor de-identification standard ((§164.514) should be used as guide. This standard not only applies to identifiers that can identify an individual, but also those that can identify a relative, employer, or household member when the identifiers are maintained in the same “designated record set”:
- Names
- All geographic subdivisions smaller than a State
- All elements of dates (except year) for dates directly related to an individual.
- Telephone numbers
- Fax numbers
- Electronic mail (email) addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
It is important to note that when these identifiers are not included in a designated record set, they are not protected health information. Additionally, there may also be cases in which other identifiers are maintained in a designated record set that are not included in the above list – for example, details of emotional support animals or social media aliases.
The Disclosures of PHI Permitted by the HIPAA Privacy Rule
There are three types of disclosures permitted by the HIPAA Privacy Rule – required, permitted, and requiring authorization. Required disclosures are those required when an individual exercises their rights to access, correct or transfer PHI, or request an accounting of disclosures. Covered Entities are also required to disclose PHI to inspectors from the Office of Civil Rights during an audit or review.
Permitted disclosures of PHI include disclosures for treatment, payment, or health care operations, and when a disclosure is for public health or benefit activities. Public health or benefit activities can include disclosures to law enforcement, reports of neglect or abuse, to comply with workers´ compensation laws, or when the disclosure is in response to a subpoena or other lawful process.
All other disclosures of PHI require authorization from the patient. In most circumstances, a written authorization must be obtained, documented, and retained. However, the Privacy Rule allows for informal consent for uses such as inclusion in a hospital directory, or – if a patient is unable to give their informal consent – a Covered Entity can use their professional judgement to assume consent if the use or disclosure of PHI is considered to be in the best interests of the patient.
The Importance of Understanding What Does PHI Stand For
The reason why it is important to understand what does PHI stand for is that a “Minimum Necessary Standard” exists in the Privacy Rule. This Standard stipulates that only the minimum amount of PHI needed to accomplish the intended purpose should be disclosed. The failure to comply with this Standard is one of the most common reasons for patient complaints to HHS´ Office for Civil Rights.
Subsequent to receiving a patient complaint, the HHS´ Office for Civil Rights will investigate and may require the Covered Entity to review its policies and procedures or comply with a corrective action plan. In extreme cases where the Covered Entity is a repeating offender who has failed to correct previous violations, the HHS´ Office for Civil Rights can impose a civil monetary penalty.
Although in most cases, Covered Entities will not be fined for violations of the Minimum Necessary Standard, reviewing policies and procedures (and retraining workforces subsequent to a material change) and complying with a corrective action plan incurs indirect costs and disrupts operations. For this reason, it is important to train workforces on what does PHI stand for and when its use or disclosure is permitted under the HIPAA Privacy Rule.
PHI: FAQ
What is the difference between Protected Health Information and Personally Identifiable Information?
Protected Health Information is individually identifiable health information and any accompanying identifiers maintained in the same designated record set. Personally Identifiable Information is an identifier that could be used to identify the subject of the PHI when it is maintained in a designated record set. If it is not maintained in a designated record set, PII is not protected by HIPAA – although other federal or state privacy laws may apply.
What is the difference between PHI and ePHI?
Electronic PHI (ePHI) is a subset of PHI. The acronym ePHI is used to describe PHI that has been created, received, stored, or transmitted electronically. ePHI is subject to the same protections as PHI; however additional standards for protecting ePHI from impermissible uses and disclosures exist in the HIPAA Security Rule.
Is “Jane Smith” considered to be PHI?
Yes, even generic names that are shared by thousands of individuals are considered to be PHI if they are maintained in a designated record set. This is because, even if a name is a common name, it can still be used to identify an individual. Additionally, it would be impractical for HIPAA to distinguish between “scales” of identifiability of PHI. The frequency of names changes through time and between different locations, so having different lists and applying different protections would be too difficult.
What is “anonymization”?
If PHI is stripped of all identifiers that can be used to identify the subject of the health information, it is no longer individually identifiable, not considered to be PHI, and not protected by the Privacy and Security Rule standards.
What is considered to be “future” health information?
Future health information can include treatment plans and prognoses. This is considered to be sensitive information as it could be used to discriminate against a patient in terms of their employment prospects, amongst other things.