ELI5: What is Protected Health Information?
It’s any detail about your doctor visits, medicines, or health that also says who you are. Sharing it without permission is like reading someone’s diary out loud at school.
Definition
Protected Health Information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA-covered entity or business associate. PHI encompasses medical records, diagnoses, treatment information, lab results, prescription information, and any other health data that can be linked to a specific individual through 18 designated identifiers (name, address, dates, SSN, phone number, etc.). Electronic PHI (ePHI) is specifically governed by the HIPAA Security Rule.
Key Details
- 18 HIPAA identifiers: name, geographic data, dates (except year), phone/fax, email, SSN, medical record numbers, health plan numbers, account numbers, certificate/license numbers, VINs, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifiers
- De-identification of PHI (removing or obscuring all 18 identifiers) removes it from HIPAA protection
- ePHI must be protected with administrative, physical, and technical safeguards per the HIPAA Security Rule
- Business Associates that handle PHI must sign BAAs and comply with HIPAA requirements
- Exam tip: PHI is a subset of PII; all PHI is PII, but not all PII is PHI
Connections
- Parent: privacy — PHI is a regulated category of sensitive personal health information
- See also: hipaa
- See also: pii-personally-identifiable-information