Defining PHI Helps Secure Information
Under the HIPAA Privacy Rule, protected health information (PHI) refers to health information that can identify an individual, or can be used with other available information to identify an individual. PHI requires two things:
- An identifier; and
- A piece of health information
The HIPAA privacy rule defines “individual identifiers” to include: names, addresses, Social Security numbers, telephone numbers, e-mail addresses, dates of birth, etc. Even a license plate number on a patient intake form, if it’s the only identifying information, can be considered PHI because it could be used to identify a person.
What is PHI?
PHI can come in many forms: Telephone calls and voice mails, X-rays, photos and videos, verbal interactions (e.g., overheard conversations), faxes, and digital information, such as in a patient’s electronic medical record. PHI in an electronic format is also protected by HIPAA’s security rule.
PHI is not limited to current information. It can relate to a patient’s past, present, or future physical or mental health or condition; health care provided to the individual, or; the past, present, or future payment for health care to the individual. For example, if a patient was hospitalized in a mental institution in his teens, but he is now 65, that information is still protected under HIPAA.
HIPAA excludes educational records held by schools, which are covered by a different federal privacy law: The Family Educational Right and Privacy Act (FERPA). Also, employment records that contain identifiable health information that are held by a covered entity acting as an employer are not considered PHI.