Protected Health Information: Definition and Best Practices

Protected Health Information is crucial for pretty much anyone working in healthcare, regardless of whether you work for a small practice or a large healthcare provider. What is Protected Health Information, more exactly, why does it matter so much, and how to tackle it? 

Read on to find out more.

What is Protected Health Information? 

In short, Protected Health Information (PHI) is defined as individually identifiable health information that is transmitted or maintained in any medium (traditional or digital).  This can include “any oral, written, or electronic communication of information about a patient that identifies him or her and that arises out of the provision of healthcare.” 

To define what is considered PHI, we must first make a pit-stop and define HIPAA (also known as the Health Insurance Portability and Accountability Act). 

In essence, all healthcare-related documents, including laboratory reports, medical histories, test results, and prescription records are protected by law under the Health Insurance Portability and Accountability Act (HIPAA). 

This law requires covered entities (organizations that transmit or store health information) to comply with a set of strict rules governing how this data can be used and shared. 

So, that being out of the way, what is PHI? 

Let's dig a little deeper into this definition and take it apart, piece by piece. "Identifiable health information" means "any information that identifies an individual." This could be a patient's name, for example, but also home addresses, email addresses and other similar bits of information fall in the same category.

It can also include healthcare identifiers, such as medical device numbers, medical record numbers, health plan numbers, or  specific dates (of admission, discharge, and so on). 

Who Stores and Manages Protected Health Information?

It's important to keep in mind that the organization which houses PHI is in control of its use and handling, as well as responsible for what happens with all this data. 

Obviously, covered entities that hold other organizations' PHI must treat it with care, and comply with all applicable laws regarding how they can use and disclose PHI. 

What Is NOT Protected Health Information? 

Knowing what falls under the "Protected Health Information" category is important, but it’s equally important to know what doesn't. To be more specific, information like employee information of someone who is covered, but which is not information related to their healthcare would not qualify as PHI. Furthermore, health data that isn’t personally identifiable or not shared with a covered entity doesn't qualify as PHI either. 

Protected Health Information Examples 

To make things clearer, let's look at a few examples of what qualifies as PHI. There are 18 categories of data that fall under the Protected Health Information definition (also known as "HIPAA identifiers"). Some of them include name, address, Social Security Number, and even device identifiers and serial numbers. 

Whatever doesn't qualify under any of the above isn’t considered to be PHI. 

Sharing Information without Giving Out the Identity 

In some situations, information that would otherwise be qualified as Protected Health Information can be de-identified for specific purposes (such as for clinical trials or quality reviews, for example). To do this, PHI data has to be de-identified. This means that it doesn’t have to identify a patient, not belong to a living person, or not be obtained through intervention or interaction). Once the data has been de-identified, it no longer falls under HIPAA. 

Furthermore, there are also situations where PHI has to be divulged, such as for example, when healthcare professionals alert law enforcement about a suspicious death. 

How to Guard Protected Health Information

Now that we know what is (and isn't) Protected Health Information, how do you make sure you guard yours as efficiently as possible

Some of the absolute basics you should keep in mind include the following: 

Be very mindful of your data collection processes

Data hygiene and clear data management processes are essential to making sure you abide by HIPAA every step of the way. 

Limit who has access to PHI

The fewer people have access to this kind of information, the fewer risks you face. 

Regularly review data 

Aim to see if any PHI is stored on any device, and either eliminate or secure it.

Use Adequate Systems 

Additionally, it’s imperative to make sure that the systems you use are HIPAA compliant and encrypted when transmitting data. 

Train Employees 

Always make sure your employees are fully trained in HIPAA and that everyone follows clear procedures when it comes to all categories of PHI.

Keep Track of PHI Transmission

Another basic step is to keep a log of all PHI transmission. This will allow you to trace data at every point of its life cycle. 

Dispose Correctly 

Likewise, remember to dispose of PHI documents correctly (if they are in a physical format, they should be destroyed, and if they are electronic, they should be properly deleted). 

Obviously, these are just some of the tips you should keep in mind when it comes to HIPAA and PHI. Entire bookshelves could be filled on the subject, but if we have to narrow it down to a nutshell, the advice in this article is crucial (and so are proper HIPAA-compliant forms, just sayin').