What is Protected Health Information (PHI)?
Marcia L. Brauchler, MPH, CPHQ, CPC-P, CPC-H, CPC-I
Under the HIPAA Privacy Rule, protected health information (PHI) refers to health information that can identify an individual, or can be used with other available information to identify an individual. The HIPAA rule applies specifically to “covered entities” and their “business associates.” PHI requires two things:
- An identifier; and
- A piece of health information
The HIPAA privacy rule provides us with a list of what the federal government considers to be “individual identifiers.” These includes: Names, addresses, social security numbers, telephone numbers, e-mail addresses, dates of birth, etc. Even a license plate number on a patient intake form, if it’s the only identifying information, can be protected health information because it could be used to identify a person.
HIPAA excludes some forms of health information from the definition of PHI, such as educational records held by schools. These records are covered by a different federal privacy law: The Family Educational Right and Privacy Act (FERPA).
Also, employment records that contain identifiable health information that are held by a covered entity acting as an employer are not considered PHI. For instance, if ABC Company requires drug testing of all applicants, and the company maintains files containing this health information in its Human Resources department, these files are not considered PHI.