What is PHI?
As per HIPAA compliance, PHI (Protected Health Information) is a category of information that includes all individually-identifiable health information such as personal info (name, address, date of birth, etc.), health status, past medical record, and health care payments. According to the HIPAA Privacy Rule, forms of PHI can be oral, written, or electronic.
PHI is protected in the sense that it is forbidden to use or disclose except in narrowly authorized circumstances. For example, PHI can be used when doctors need patient data to perform their job, in emergency situations, and when treatment occurs in collaboration with other health providers or associates. PHI is not protected when attached to large data sets that have had personally-identifiable information removed or obscured, as in medical research.
What is ePHI?
Any PHI data that is created, transmitted, received, or stored electronically is referred to as Electronic PHI (ePHI) and must be handled with the appropriate security controls in compliance with HIPAA Security Rule requirements.
Unauthorized use or disclosure of PHI or ePHI by Covered Entities (e.g. hospitals, doctors, health insurance companies) and Business Associates (third-parties such as cloud billing services) brings the risk of severe civil and criminal penalties.
Types of PHI
For reference, the 18 types of information that are classified as PHI are:
- Dates (of appointments, payments, etc.)
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan / insurance beneficiary number
- Account number
- Certificate / license number
- Any vehicle identifiers (e.g. license plate number)
- Device identifiers and serial numbers
- Web URLs (Links)
- Internet Protocol (IP) address
- Biometric identifiers (finger / retinal / voice)
- Photographic images
- Any other characteristic that may be used to uniquely identify the individual