The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule uses Protected Health Information (PHI) to define the type of patient information that’s protected by law. PHI is an important factor for HIPAA compliance. But what is PHI?
PHI isn’t just confined to medical records and test results. In fact, any information distributed by a business associate that can identify a patient and is used or disclosed to a covered entity during the course of care is considered PHI. Even if that information doesn’t reveal a patient’s medical history, it is still considered PHI.
Understanding what is considered PHI under HIPAA is important for all providers in order to avoid violations that can result in big fines.
What is considered PHI under HIPAA Privacy Rule
As we previously mentioned, PHI isn’t just related to medical records or individually identifiable health, but can be anything that can identify a patient and is used during the course of their care. This includes common identifiable information or basic information such as their:
- Phone number
- Email address
- Street address
- Address number
- Zip code
- Social security number
- Fax numbers
- License numbers
- Vehicle identifiers, such as license plate numbers
- Serial numbers
- Demographic information
- Education records
- Employment records
- Full face photographic images
There are also other more obvious types of identifiable health information created during the course of a health care service such as:
- Medical record number
- Unique identifying number
- An invoice with billing information
- An appointment reminder
- Blood test results
- Prescription information
- Beneficiary numbers
- Health insurance
- Mental health
- Health records
- Health status
- Oral communications
- Payment history
- Account number
- Family members
- Discharge date
- Admission date
- Biometric identifiers
- Device identifiers
Any information that can reasonably be used to identify an individual and is used during the course of care is considered PHI.
Examples of data that is NOT considered Protected Health Information
However, not all data and information that is recorded is considered PHI, remember the two conditions to consider:
- Data needs to be personally identifiable to the patient
- Data must be used or disclosed to a covered entity during the course of care
This is especially important to remember for healthcare organizations (such as the U.S. Department of Health and Human Services), researchers and vendors who collect data for reports, studies and applications.
For these purposes, data can be de-identified so it can’t be used to identify a patient. HHS even provides guidance on how to de-indentify patient data online. This process occurs everyday for clinical trials and in the growing consumer health industry.
In fact, a lot of consumer apps don’t even need to be HIPAA compliant because they do not transmit data to a covered entity for patient care.
How to protect PHI
Under the HIPAA Privacy Act, PHI needs to be protected in all mediums: electronic, paper, and oral. (A common acronym, ePHI, stands for electronic protected health information).
Covered entities (such as doctor’s offices, hospitals, health plans and health care clearinghouses) are all trying to utilize technology to streamline their processes and improve public health and patient care. This makes electronic PHI (ePHI) even more vulnerable to cyberattacks such as the recent rise of ransomware.
The HIPAA Security Rule establishes national standards to protect individuals’ ePHI that is created and used by covered entities. This includes setting requirements for physical, technical and administrative safeguards.
While covered entities need to insure physical and administrative safeguards, Paubox can help make sure technical safeguards are in place for providers when they communicate electronically. Yet, Paubox does it in a way that is easy for everyone to use and doesn’t require extra steps for the sender or recipient.
Paubox Encrypted Email allows patients and medical professionals to exchange PHI securely while using their existing work email accounts or by using a hosted Paubox email account. Paubox allows senders to compose and send emails as they normally would and yet enjoy HIPAA compliant encryption. No extra clicks, keywords to type, or portals to login to.
The experience is just as seamless for recipients who don’t have to download software, create an account, or use a portal to view encrypted email or attachments.
Paubox also provides a HIPAA compliant email API, which allows healthcare providers, IT consultants and developers to integrate our seamless and secure email solution with their IT infrastructure.