In this lesson, we'll be going into some detail on what PHI is. At the end of the lesson, we'll dig into when PHI really isn't PHI, or in other words, exceptions to PHI.

In a nutshell, PHI (protected health information) is any information that is individual to a patient – past, present, or future – about the care provided, whether physical or mental, for an individual. This can include documentation of doctor visits, charts and notes made by physicians and other healthcare staff, healthcare payment information, claim status, and the coordination of healthcare benefits.

Pro Tip #1: It's worth noting that HIPAA covers all forms of PHI, including electronic, paper, and even oral/spoken. Many people forget that PHI is also covered under spoken word. Be especially mindful when disclosing healthcare-related information with anyone – other patients, staff, and business associates.

You may recall from the corresponding video for this lesson that one patient overheard two healthcare employees talking about another patient's health information. When in doubt, always assume that someone might be listening. And do everything you can to make sure private conversations take place in private locations.

Think of PHI the way you would classified information. You have been given clearance to see it. But it's your responsibility to keep it safe and from falling into the wrong hands at all times.

A More In-Depth Look at PHI

Under HIPAA rules and regulations, PHI is considered as any identifiable health information that is used, maintained, stored, or transmitted by covered entities and business associates.

As mentioned above, PHI is health information in any form, including physical records, electronic records, or spoken information. This means that PHI includes health records, health histories, lab test results, and medical bills.

Pro Tip #2: The key point to remember regarding PHI, is that to be considered PHI, it must include individual identifiers, such as patient names, social security numbers, driver's license numbers, insurance details, and birth dates, when they are linked with health information. Demographic information can also be considered PHI under HIPAA Rules.

There are in total 18 identifiers for PHI and these include the following:

  1. Names
  2. Dates, except year
  3. Telephone numbers
  4. Geographic data
  5. Fax numbers
  6. Social security numbers
  7. Email addresses
  8. Medical record numbers
  9. Account numbers
  10. Health plan beneficiary numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers including license plates
  13. Web URLs
  14. Device identifiers and serial numbers
  15. Internet protocol addresses
  16. Full face photos and comparable images
  17. Biometric identifiers, such as retinal scans and fingerprints
  18. Any unique identifying number or code

Can PHI be Disclosed for Public Health Activities?

The short answer is, yes. However, it's limited to the CDC (Center for Disease Control and Prevention), public health authorities – federal or state – and OSHA. OSHA is unique because it can request information without authorization or the need to sign a business association agreement.

Pro Tip #3: One caveat to remember, though, is that covered entities should reasonably limit the amount of PHI given in these circumstances to what is considered a necessary amount and nothing more. Remember, less is more when it comes to sharing personal health information.

So, why would OSHA request PHI? They could do so in the event of a natural disaster or a state of emergency in an attempt to determine the demographics of an affected area. Perhaps they need to mobilize the national guard, first responders, or military personnel to aid such an emergency.

It's important to remember, that if contacted by someone in the government about sharing PHI, you must ensure their legitimacy. Request relevant phone numbers and email addresses and ask for a written request.

A Word About the Exceptions to PHI

You may be tempted to think that all health information is considered PHI under HIPAA, but this isn't true, and there are some exceptions.

One determining factor is who records the information. A good example of this would be health trackers, such as physical devices worn on the body or apps on mobile phones. These devices can record health information such as heart rate or blood pressure, which would be considered PHI under HIPAA rules if the information was recorded by a healthcare provider or was used by a health plan.

However, under the HIPAA rules, this information only applies to HIPAA covered entities and their business associates. This means that if a device manufacturer or app developer hasn't been contracted by a HIPAA covered entity and also isn't a business associate, the information recorded would not be considered PHI under HIPAA rules.

The same rules apply to education or employment records. Let's say a hospital holds data on its employees, which can include some health information like allergies or blood types. However, HIPAA rules do not apply to this type of information.

Also, it's important to remember that under HIPAA, PHI ceases to be PHI if it's stripped of all identifiers listed above that can tie the information to an individual. When those identifiers are removed, the health information is technically referred to as de-identified PHI, and thus, HIPAA rules no longer apply.