What is Protected Health Information (PHI)?
Every day, a wide range of organizations — from healthcare providers to insurance companies, dentists, pharmacies, and more — collect, create, store, or otherwise interact with sensitive patient data known as protected health information (PHI). These businesses must meet strict security and privacy requirements established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) — or else face significant fines and legal actions.
But what counts as PHI? How does it differ from other forms of consumer data? And, perhaps most importantly, what steps should an organization take to ensure that this information is adequately protected?
Below, we answer these and other questions you may have about protected health information so you’ll be better equipped to comply with HIPAA and related regulations.
What is protected health information (PHI)?
Protected health information (PHI) refers to specific types of medical information that can be tied back to an individual person, which is collected or used by healthcare providers and other entities covered by HIPAA.
To fully understand what PHI is, it’s important to break down the different ways medical information can be segmented. This includes health information, individually identifiable health information (IIHI), and finally, protected health information as defined by HIPAA.
Health information is any information related to an individual’s physical and mental health, the treatment they receive, and how they pay for this treatment. This includes information about the past, present, and future. It’s important to note that the information must be created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse to qualify as health information.
Individually identifiable health information (IIHI) is a subset of health information. Specifically, the term refers to demographic information, contact information, and geographic information about an individual that is related to their care and which either directly identifies or has the reasonable potential to identify the individual.
Protected health information (PHI) is any individually identifiable health information specifically transmitted by or maintained in electronic media or in any other form.
What is ePHI?
ePHI, or electronic protected health information, is a term used to refer to protected health information that is collected, saved, or transmitted in an electronic form. Some examples of ePHI include protected health information collected via a website or web application, sent by email, or digitized from physical copies.
Whether ePHI is stored as a digital file on a local device, on a disk or flash drive, or in the cloud, it is protected by the same provisions of HIPAA that apply to all protected health information. With this ubiquity in mind, when most modern healthcare organizations (and other covered entities) talk about PHI, they’re really talking about ePHI.
Who’s subject to HIPAA laws about PHI?
The companies, businesses, and other organizations subject to HIPAA’s requirements are known as covered entities. These covered entities include:
Health insurance companies
Company health plans
HMOs
Government health programs (Medicare/Medicaid)
Doctors
Hospitals
Pharmacies
Clinics
Psychologists
Dentists
Nursing homes
Other healthcare providers
Healthcare clearinghouses
In addition to the entities above, any company that works with a covered entity, even if they are not themselves a covered entity, must comply with various pieces of HIPAA — including the Privacy Rule and Security Rule. This includes, but isn’t limited to:
Companies that collect, store, and destroy medical records
Companies that provide billing services for a covered entity
Companies that process healthcare claims
Companies that administer health plans
Outside professionals such as IT specialists, lawyers, and accountants
Subcontractors hired by these organizations
As a rule of thumb, any company that is or that interacts with a covered entity should assume they are subject to HIPAA.
It’s also important to note that even businesses that are not covered entities under HIPAA still have an incentive to protect sensitive consumer information, regardless of whether they are required to do so by law or not. Failure to do so can result in significant loss of customer trust, which can prove catastrophic to any business built on trust.
PHI and healthcare apps
In recent years, there has been an explosion of applications and digital platforms that in some way intersect the healthcare industry — driven largely by the continued dominance of smartphones as well as the emergence of wearable technology, the internet of things (IoT), and 5G mobile networks.
These healthcare apps and platforms are diverse, including everything from trackers (applications analyzing a user’s sleep, diet, exercise, menstrual cycle, blood sugar, and more), marketplaces (those that connect patients with practitioners), and many other types of digital health companies.
Although these apps often collect data that would be considered PHI in traditional healthcare settings, most are not subject to HIPAA because they do not meet the definition of a “covered entity” under the law. This means that it may be possible for sensitive health information collected by healthcare apps and digital health platforms to be shared with third parties.
That said, the Federal Trade Commission (FTC) has recently begun cracking down on companies deemed to have mishandled sensitive health data. Instances of this include when a company:
Shares sensitive user health data with third parties despite their privacy agreement stating that they won’t do so
Alludes to HIPAA compliance (for example, by displaying the HIPAA seal on their website), but then engages in data sharing that goes against the law’s tenets
Fails to notify a user if their sensitive health data becomes compromised or breached
Healthcare apps and platforms not considered covered entities under HIPAA should still have a plan in place to protect users’ PHI, audit their website and other marketing platforms for any misleading content, and take steps to ensure they are compliant with any other data and privacy-related regulations they may be subject to.
Persona’s suite of identity tools was specifically designed with security in mind to help you safeguard your users’ sensitive data and reduce the risk of a costly breach. Some of the ways we help include empowering you to:
Reverify user identities: Reverifying a user’s identity during account recovery or other high-risk moments — for example, when a user tries to update their profile information or access their sensitive data — helps prevent user accounts from being accessed by unauthorized users. This provides a deeper level of security than what is offered by two-factor authentication.
Educate users during onboarding: Persona’s identity verification solution is entirely customizable. You can write the text your users read during sign-up, giving you the opportunity to provide guidance on exactly how the data you collect will be used. This can help with regulatory compliance while building trust and potentially increasing conversions.
Configure the data you collect: Identity verification shouldn’t be one-size-fits-all. We give you complete control to choose the information you want to collect during onboarding and reverification. This makes it possible to avoid unnecessary data collection, minimizing the risks associated with a security breach.
What identifiers fall under protected health information?
When HIPAA was passed into law, it established a list of 18 identifiers. If a piece of health data contains any of these 18 identifiers, it’s considered protected health information. These identifiers include a person’s:
Name
Address
Birth date, date of admission, discharge date (other than the year)
Phone number
Fax number
Email addresses
Social Security number
Medical record number
Health plan beneficiary number
Account numbers
Certificate or license numbers
Vehicle identifiers, including license plate numbers and serial numbers
Device identifiers and serial numbers
Web URLs
IP addresses
Fingerprints and voiceprints
Photographic images (not limited to the individual’s face)
Any other uniquely identifiable characteristics
It’s important to note that this information is typically only considered PHI when it’s collected or used by a covered entity. If it’s created by a business or organization that isn’t a covered entity (and doesn’t interact in any way with a covered entity), it’s not necessarily protected under HIPAA.
Likewise, information that is de-identified (stripped of all personal identifiers) is no longer considered PHI.
How is protected health information used?
At its core, protected health information is primarily used to identify an individual in a healthcare setting and ensure they are receiving appropriate care.
Before a doctor or nurse begins treating a patient, for example, they will typically ask that patient for their name and birthdate. Then, they’ll cross-check this with the information stored within the patient’s chart or medical record to ensure they are delivering care (whatever it may be) to the correct patient.
Certain PHI also makes it possible for a healthcare provider to track a patient’s care over time. When a patient receives care from a given provider, for example, records of that care will be labeled with a medical record number tied specifically to that individual. Using this number, a provider can pull up a patient’s records as necessary to check on past diagnoses, treatment plans, etc.
When it is anonymized and de-identified, PHI is also often used by researchers trying to glean insights into healthcare trends.
PHI violations and penalties
If a covered entity fails to comply with the requirements of HIPAA and a patient’s PHI is improperly accessed, shared, disclosed, or used, the business may be subject to significant penalties. Penalties can be awarded for both civil and criminal violations, may include fines as well as prison time, and are enforced by the Office for Civil Rights (OCR).
Violations are classified into four tiers, each of which carries different maximum and minimum penalties. These are:
Tier 1 (unknowing): $100 to $50,000 per violation
Tier 2 (reasonable cause): $1,000 to $50,000 per violation
Tier 3 (willful neglect, corrected within required time): $10,000 to $50,000 per violation
Tier 4 (willful neglect, uncorrected within required time): $50,000 or more per violation
According to the OCR, the office has received 351,372 HIPAA complaints and imposed a total of $142,448,722 in civil penalties since the Privacy Rule was adopted in 2003. The largest of these fines was to the tune of $16 million, handed to health insurer Anthem in 2018 due to its handling of a cyberattack that occurred in 2015, which resulted in the theft of more than 78 million PHI records.
OCR data shows the number of complaints received is rising significantly by year. According to the most recent data available, from 2018 to 2021, the number of complaints received each year increased by approximately 31.5% — from 25,912 cases in 2018 to 34,077 cases in 2021.
How to defend against PHI hacks
Covered entities are required to protect and secure PHI against unauthorized access and other types of impermissible use under HIPAA’s Security Rule. This rule specifically requires covered entities to implement physical, administrative, and technical safeguards to protect against any threat considered “reasonably anticipated.”
Physical safeguards are measures taken to secure physical copies of PHI or physical devices that store PHI. Limiting access to facilities (or parts of facilities) containing PHI is one such physical safeguard. Implementing policies for workstation and device security is another.
Administrative safeguards are the administrative processes and policies an organization implements to secure PHI. Employee training and the implementation of identity and access management (IAM) are examples of administrative safeguards.
Technical safeguards are measures taken specifically to secure ePHI. They include implementing policies around access control, audit control, integrity control, and transmission security. In practice, examples of technical safeguards might include the use of encryption, firewalls, and other technologies.
Learn more about best practices for securing health data.
How to verify patient identity safely
If your company is subject to the PHI rules established by HIPAA — as a covered entity, business associate, or third-party organization — it’s crucial to keep these requirements in mind when designing any processes related to data. This includes your organization’s Know Your Patient (KYP) and patient identity verification processes.
Some ways you can remove risks from your patient identity verification process include:
Working with a HIPAA-compliant IDV provider
Asking any vendor you work with to sign a HIPAA Business Associate Agreement (BAA)
Automating as much of your IDV process as possible to reduce the possibility of inappropriate access
Partnering with an IDV solution that will store PII for you
Here at Persona, security and privacy form the bedrock of who we are. Our identity solutions are compliant not only with HIPAA, but also with GDPR, FERPA, CCPA, CPRA, and other state and federal regulations.
We also offer PII storage so you can spend less time worrying about security and more time running your business.
Interested in learning more? See how we helped an online prescription service deploy identity verification to stay compliant with HIPAA and other regulations.s.
Ready to get started? Request a demo today.
Any medical information or record that contains one or more of the 18 identifiers defined by HIPAA is considered protected health information. Some examples include:
Test results (blood, urine, STI, etc.)
Medical scans (X-rays, MRIs, CT scans, ultrasounds, etc.)
Billing information from a healthcare provider
Communications, such as an email scheduling an appointment
Phone records
Importantly, health data that does not include personally identifiable information is not considered PHI. Examples of this might include blood sugar readings that are not recorded with PII, or the number of steps recorded in a pedometer.
Yes. HIPAA is the law that establishes an individual’s privacy and security rights as they relate to medical and health records. As such, HIPAA defines PHI (as well as other categories of health data). PHI is just one small piece of the broader legislation that is HIPAA.
HIPAA specifically notes that certain individually identifiable health information is not considered protected health information. This includes health information that is:
In an education record covered by the Family Educational Rights and Privacy Act (FERPA)
In employment records held by a covered entity, specifically in its role as an employer
Related to a person who has been dead for at least 50 years.
Additionally, as noted above, PHI that has been de-identified or anonymized is no longer considered PHI.
During patient intake or onboarding, a patient’s identity is typically verified through the collection of the patient’s government-issued ID, health insurance cards, and other information.
Once the patient’s identity has been verified, it can be authenticated in the future in any of a variety of ways. This might include re-checking the individual’s ID and insurance information; asking the patient to provide information (like their name and birthdate) prior to receiving care; or, in a digital setting, asking the patient to take and submit a selfie, which will be compared against a photo on record.
Medical information that is not considered PHI under HIPAA includes information that is:
Collected, stored, or maintained by a business or organization that is not a covered entity under the law
In an education record covered by the Family Educational Rights and Privacy Act (FERPA)
In employment records held by a covered entity, specifically in its role as an employer
Related to a person who has been deceased for at least 50 years
Additionally, as noted above, PHI that has been de-identified or anonymized is no longer considered PHI.