Protected Health Information (PHI)

Protected Health Information (PHI) is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services. Protected health information is often shortened to PHI, or in the case of electronic health information, ePHI. ePHI is Electronic Protected Health Information and is All individually identifiable health information that is created, maintained, or transmitted electronically by mHealth and eHealth products. This includes PHI on desktop, web, mobile, wearable and other technology such as email, text messages, etc.

Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses). Health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact information. PHI relates to physical records, while ePHI is any PHI that is created, stored, transmitted, or received electronically.

PHI only relates to information on patients or health plan members. It does not include information contained in educational and employment records, that includes health information maintained by a HIPAA covered entity in its capacity as an employer. PHI is only considered PHI when an individual could be identified from the information. If all identifiers are stripped from health data, it ceases to be protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.^[1]

source: Total HIPPA

PHI Invormation and Non PHI Information^[2]
PHI is any information that can be used to identify an individual, even if the link appears to be tenuous. HIPAA has laid out 18 identifiers for PHI. If a record contains any one of those 18 identifiers, it is considered to be PHI. If the record has these identifiers removed, it is no longer considered to be Protected Health Information and it is no longer under the restrictions defined by the HIPAA Privacy Rule. These are the 18 Identifiers for PHI:

• Full names or last name and initial
• All geographical identifiers smaller than a state,
• Dates (other than year) directly related to an individual such as birthday or treatment dates
• Phone Numbers including area code
• Fax number/s
• Email address/es
• Social Security number
• Medical record numbers
• Health insurance beneficiary numbers
• Bank Account numbers
• certificates/drivers license numbers
• Vehicle identifiers (including VIN and license plate information)
• Device identifiers and serial numbers;
• Web Uniform Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including fingerprints, retinal, genetic information, and voice prints
• Full face photographs and any comparable images that can identify an individual
• Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

The rule of thumb is that if any of the information is personably recognizable to the patient or if it was utilized or discovered during the course of a healthcare service, it is considered to be PHI.

Generally speaking, PHI does not include information created or maintained for employment records, such as employee health records. Health data that is not shared with a covered entity or can not be used to identify an individual doesn’t qualify as PHI, such as a blood sugar reading, a temperature scan, or readings from a heart rate monitor.

To make laying out a narrow definition of PHI even more complicated, HIPAA was conceived in a time when the internet was in its infancy and devices like smartphones were something that you saw on Star Trek. The law was written for a world in which X-rays were physical copies and safeguarding patient data meant keeping files in locked filing cabinets behind closed doors. In today’s world of genetic information, wearable technology, health apps and perhaps even implantables, it can be challenging to determine whether you are using consumer health information or PHI.

So if you are a startup developing an app and you are trying to decide whether or not your software needs to be HIPAA Compliant, the general rule of thumb is this: If the product that you are developing transmits health information that can be used to personally identify an individual and that information will be used by a covered entity (medical staff, hospital, or insurance company), then that information is considered PHI and your organization is subject to HIPAA. If you have no plans on sharing this data with a covered entity, then you do not need to worry about HIPAA compliance - yet.

Protected Health Information Vs. Individually Identifiable Health Information^[3]
Individually identifiable health information (IIHI) goes beyond medical information about a person to include their demographics. IIHI meets these conditions:

• Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse.
• Relates to the past, present, or future physical/mental health or condition of a person; the provision of health care to a person; or the past, present or future payment for the provision of health care to a person.
• Identifies an individual or can be used to identify an individual.

In short, for medical information to be IIHI, it has to identify the individual to which it belongs.

Protected health information is individually identifiable health information that is:

• Transmitted by electronic media (e.g. sent through email),
• Maintained in electronic media (e.g. stored on a server), or
• Transmitted or maintained in any other form or medium (which includes paper documents stored in physical locations).

All PHI is IIHI, but not all IIHI is PHI. This is because HIPAA does not protect all individually identifiable health information. The IIHI has to be transmitted or maintained in some form to be protected (PHI).

source: HIPAAtrek

Protected Health Information Vs. Consumer Health Information^[4]
For developers, determining whether an application collects PHI or not is critical to determining whether HIPAA compliance requirements need to be met or not. So how do you know if you're dealing with protected health information (PHI) or consumer health information?

The test is straightforward: if the device or application you are building records or transmits the user's personally-identifiable health data held in the app or device and is used by a covered entity in the course of care, then you are dealing with PHI and need to be HIPAA compliant.

If you are building a wearable device or application that collects health information, but does not plan on sharing it with a covered entity at any point in time then you do not need to be HIPAA compliant. However, the trend in mobile health data collection is toward the sharing of health data with health care providers—making it PHI by definition.

For example, the Nike Fuel Band does not need to be HIPAA compliant because it does not track PHI and you can't transmit that data from the device to a covered entity. Data about blood sugar and sleep patterns collected by Apple's Healthkit and accessed by an app to share with a doctor falls under HIPAA.

References