What is PHI and why should you care?

Under the Health Insurance Portability and Accountability Act (HIPAA), Protected Health Information (PHI) is defined as “individually identifiable health information“. With higher fines and increased enforcement taking place, it’s crucial that at every stage of handling, each person within your organization is fully up-to-speed with what constitutes PHI.

So what is ‘individually identifiable health information’?

There are three key components:

• Information that identifies an individual.
• Health information, including demographic data.
• Information that concerns an individual’s physical or mental health, or the provision of or payment for health
  care.

Any one or combination of the above constitutes PHI and must be treated with the utmost confidentiality when transferred or stored in any form or medium by a Covered Entity (CE) or its Business Associate (BA). If you’re a healthcare or health plan provider, or a healthcare clearing house, you are defined as a Covered Entity. This means you must put in place the necessary physical, technical and organizational safeguards to protect individuals’ sensitive health information.

There are 18 identifiers under HIPAA that are classified as PHI that could be used, either alone or together with other information, to identify an individual. These are:

• Name
• Address/geographical identifiers (note: geographical identifiers smaller than state, including street address, city, county, or ZIP code)
• All dates (except years) related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
• Telephone numbers
• FAX number
• Email address
• Social Security number
• Medical record number
• Health plan beneficiary number
• Account number
• Certificate/license number
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers or serial numbers
• Web URLs
• IP address
• Biometric identifiers, including retinal, finger or voice prints
• Full-face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code

Why should you care?

Data breaches do occur, whether it be through theft, loss or the destruction of data. It may be intentional or the result of an accident, or unauthorized access in or outside of your organization. Regardless of how PHI is exposed, the results can be devastating, to both the individuals affected and the organization as a whole.

By understanding what information is protected you can work towards HIPAA compliance. Could you have recalled the 18 identifiers above? How many of your colleagues know what is defined as ‘individually identifiable health information’? Education is key, so establish comprehensive IT procedures to lower the risk of a data breach. Once procedures are in place, make sure you regularly review and reassess so all personnel understands the importance of PHI.

It is necessary you prohibit notoriously insecure devices and adopt HIPAA compliant IT solutions wherever data is transferred or stored. By doing so, you can rest assured knowing that all possible measures have been taken to ensure data remains protected.

Want to know more? Keep an eye on the blog or @ScryptInc on Twitter for our next post on data breaches!