What exactly is considered PHI according to HIPAA?

Protected Health Information (PHI)

Protected Health Information (PHI) under HIPAA encompasses individually identifiable health information transmitted or maintained by covered entities under HIPAA or business associates. PHI HIPAA protection includes any data on an individual’s past, present, or future physical or mental health condition, healthcare provision, or payment for healthcare services. Examples range from diagnoses, treatment information, and medical test results to insurance policy details and claims information.

What isn’t PHI? 

Certain scenarios exist where health-related data, despite being personally identifiable, aren’t classified as PHI under HIPAA. For instance, research studies may utilize health-related information containing personal identifiers such as names or addresses. Still, if such data aren’t associated with healthcare service events or entered into medical records, they’re categorized as “research health information” (RHI) exempt from HIPAA regulations. Notably, other human subjects protection regulations still apply to such data.

Examples of RHI

Examples of research utilizing only RHI include aggregated (non-individual) data, diagnostic tests without results entered into medical records or disclosed to subjects, and testing without PHI identifiers. Specific genetic basic research, such as identifying potential genetic markers, may also fall into this category. However, genetic testing for known diseases, integral to diagnosis, treatment, and healthcare, constitutes PHI and is thus subject to HIPAA.

The 18 HIPAA Patient Identifiers

Additionally, it’s essential to understand the 18 identifiers specified by HIPAA, which render it HIPAA-protected health information.

1. Names
2. All geographical subdivisions smaller than a State, such as street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code under specific conditions outlined by the Bureau of the Census
3. All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89, as well as any elements of dates indicative of such age, except when aggregated into a single category of age 90 or older
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record number
9. Health plan beneficiary numbers
10. Account number
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address number
16. Biometric identifiers, including finger and voice prints
17. Full-face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code, excluding the unique code assigned by the investigator to code the data

Real-Life-Illustration of PHI

Consider a scenario where a healthcare provider, Dr. Smith, treats a patient, Sarah. During a routine check-up, Sarah mentions her recent diabetes diagnosis. Dr. Smith records this information in Sarah’s medical file.

In this scenario:

• “Diabetes diagnosis” is health information.
• “Sarah has been diagnosed with diabetes” is individually identifiable health information.
• If Dr. Smith’s office records “Sarah has been diagnosed with diabetes,” both the identifier (“Sarah”) and the health information (“diabetes diagnosis”) are considered protected health information under HIPAA.