What is Protected Health Information?
The simple answer is any information that can be used to identify you from your Protected Health Information (PHI). PHI consists of 18 unique identifiers and must be removed in order to meet the “Safe Harbor Method” standard for de-identification.
PHI as defined by U.S. Department of Health and Human Services as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules, as any information about health status, provision of healthcare, or payment for healthcare that is created or collected by healthcare organizations, referred to as Covered Entities (CEs) or their third-party vendor acting on behalf of the CE, referred to as Business Associates (BAs)), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history[i].
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted or maintained in any form or medium by a Covered Entity (CE) or their third-party vendors, known as Health and Human Services Business Associates (BAs), in any form or medium, whether electronic, on paper, or oral.
The Privacy Rule calls this information Protected Health Information (PHI). PHI is information, including demographic information, which relates to:
- the individual’s past, present, or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. PHI includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.
Understanding the Difference
The relationship with health information is fundamental. Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI. For instance, if such information was reported as part of a publicly accessible data source, such as a phone book, then this information would not be PHI because it is not related to heath data (see above). But, if such information was listed with health condition, health care provision or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI.
For example, a medical record, laboratory report, or hospital bill would be PHI because each document would contain a patient’s name and/or other identifying information associated with the health data content.
By contrast, a health plan report that only noted the average age of health plan members was 45 years would not be PHI because that information, although developed by aggregating information from individual plan member records, does not identify any individual plan members and there is no reasonable basis to believe that it could be used to identify an individual.