Individually identifiable health information (IIHI) is health-related data that can identify a person linked to their health status, services received, or payment details. It's broader than protected health information (PHI), which refers specifically to data managed by covered entities under HIPAA regulations. IIHI includes information not covered by HIPAA if not tied to these entities.
Defining individually identifiable health information
Individually identifiable health information (IIHI) encompasses a vast array of data that can be used to identify a specific individual and is connected to their health status, healthcare services received, or payment for those services. This type of information includes personal identifiers like:
- Names
- Addresses
- Dates of birth
- Social Security numbers
- and more.
Additionally, any details related to an individual's medical history, diagnoses, treatments, prescriptions, and health insurance information fall under the umbrella of IIHI.
What is protected health information (PHI)?
PHI is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or their business associates. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. PHI is subject to the specific privacy and security requirements mandated by HIPAA.
Note: Protected health information (PHI) is a subset of IIHI.
Related: What are the 18 PHI identifiers?
What are the differences between IIHI and PHI?
The main distinction between IIHI and PHI lies in the entity responsible for the data. While IIHI encompasses a broader spectrum of health-related information that could be individually identifiable, not all IIHI qualifies as PHI. The pivotal factor is whether the information is associated with a covered entity subject to HIPAA regulations.
- IIHI: Encompasses health-related information that could be individually identifiable but is not covered by HIPAA if not associated with a covered entity.
- PHI: Involves individually identifiable health information created, received, maintained, or transmitted by covered entities or their business associates, and is regulated by HIPAA.
HIPAA and its scope
The Health Insurance Portability and Accountability Act (HIPAA) was enacted to ensure the privacy, security, and confidentiality of PHI held by covered entities and their business associates. Its scope extends to regulating the storage, use, and transmission of PHI, effectively mitigating the risks of unauthorized access and data breaches.
Why must PHI be protected?
The confidentiality of PHI not only respects patient autonomy but also safeguards sensitive medical information from falling into the wrong hands. Breaches of PHI can lead to severe legal penalties, irreparable damage to patient trust, and potential harm to individuals if their medical information is misused or exposed.
Steps to ensure HIPAA compliance when handling PHI
- Implement security measures: Employ encryption, access controls, and secure data storage systems to protect PHI from unauthorized access.
- Cultivate privacy-conscious practices: Train employees on proper data handling, limiting access to PHI, and following HIPAA protocols.
- Regular employee training: Conduct routine training sessions to keep staff informed about HIPAA regulations and best practices for handling PHI.
- Conduct ongoing risk assessments: Regularly assess potential vulnerabilities in PHI handling procedures and address any identified risks.
- Establish breach notification protocols: Develop clear procedures for reporting and responding to PHI breaches promptly and effectively.
- Ensure HIPAA compliant communication: When sharing PHI, use HIPAA compliant email platforms with encryption to avoid breaches.
The differentiation between individually identifiable health information (IIHI) and protected health information (PHI) forms the foundation of patient data privacy, effectively defining the scope of regulations under HIPAA.
Liyanda Tembani
