Answer Common HIPAA Questions – PHI
What is Protected Health Information (PHI)?
By Marcia L. Brauchler, MPH, CMPE, CPHQ, CPC, CPC-H, CPC-I
Under the HIPAA Privacy Rule, PHI refers to health information that can identify an individual or can be used with other available information to identify an individual. The rule applies specifically to “covered entities” and their “business associates.” Health information that identifies an individual, but is not held by a covered entity or business associate, is most likely not subject to HIPAA’s Privacy Rule.
Consider the following example to illustrate the distinction:
A 16-year-old girl is injured in an automobile accident and requires surgery at a hospital to repair a broken leg. Any health information the hospital possesses relating to the patient is considered PHI, and HIPAA’s Privacy Rule protects the use and disclosure of that information. For example, a nurse who was in the operating room for the surgery could not share any information about the patient or the surgery with a news reporter without the patient’s parents authorizing it because the nurse is a member of the workforce of a covered entity.
But if a news reporter interviews the patient’s aunt, who freely shares health information about the patient, the reporter may disclose that information without the patient’s authorization. The news reporter is not bound by HIPAA’s Privacy Rule because news agencies are not covered entities or business associates under HIPAA.
What Makes It PHI?
PHI requires two things:
- An identifier; and
- A piece of health information.
For example, a post-operative report from a hospital, together with the name of the patient who had the surgery, would be considered PHI. The same report by itself, without a name or other patient identifier, is not necessarily PHI. There must be some identifying information on the post-operative report for it to be considered PHI under HIPAA.
The HIPAA Privacy Rule provides a list of what the federal government considers to be “individual identifiers.” These include: names, addresses, social security numbers, telephone numbers, email addresses, dates of birth, etc. Even a license plate number on a patient intake form can be considered PHI because it could be used to identify a person (think of a “John Doe” brought into the emergency department with no identification other than the license plate number the paramedics wrote down at the scene of the accident).
PHI can come in many forms other than paper: telephone calls and voice mails, X-rays, photos and videos, verbal interactions (e.g., overheard conversations), faxes, and electronic format, such as in a patient’s electronic health record. PHI in an electronic format is protected doubly by HIPAA’s Security Rule, as well as by the Privacy Rule.
PHI is not limited to current information. It can relate to:
- A patient’s past, present, or future physical or mental health or condition;
- Healthcare provided to the individual; or
- The past, present, or future payment for healthcare to the individual.
For example, information about a patient hospitalized in a mental institution in his 20s, who is now 55 years old, is still considered PHI in the hands of the mental institution or another covered entity or business associate. The information is still protected under HIPAA today.
What PHI Is Not
HIPAA excludes some forms of health information from the definition of PHI, such as educational records held by schools. These records are covered by a different federal privacy law: the Family Educational Right and Privacy Act (FERPA).
Employment records that contain identifiable health information held by a covered entity acting as an employer are not considered PHI. For instance, if ABC Company requires drug testing of all applicants, and the company maintains files containing this health information in its human resources department, these files are not considered PHI.
Is This a HIPAA Violation?
Let’s end with a final example. Consider the case of an intern working at a hospital who saw a neat-looking X-ray on a viewing box. He took a picture of the X-ray with his iPhone and posted it on Facebook as a learning aid for his fellow interns. When the picture is enlarged, however, you can see the patient’s name and date of birth, and the hospital’s name.
This is PHI and the act would be a HIPAA violation unless the patient had authorized the intern to take the picture and post it on Facebook (which isn’t likely). The intern could be in big trouble with the hospital and the federal government.
A thorough understanding of what PHI is (and isn’t) will help to ensure you can protect it (and yourself) appropriately.
Marcia L. Brauchler, MPH, CMPE, CPHQ, CPC, CPC-H, CPC-I, is a healthcare consultant and founder of Physicians’ Ally, Inc. She advises physicians and practice administrators on managed care contracts, reimbursement, coding, and compliance. Brauchler’s firm sells updated HIPAA policies and procedures at www.physicians-ally.com/hipaacompliance. She is a member of the South Denver, Colo., local chapter.