PHI stands for Public Health Information
NOTE: If you have a project or data storage / transfer need that involves protected data, or if you are not sure if you do, Start a Conversation with us so we can ensure you have the best resources and environment possible for your work.
PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed to a covered entity and/or their business associate(s) in the course of providing a health care service, such as a diagnosis or treatment.
Protected Health Information (PHI) is the combination of health information and personally identifiable information (PII). Health information encompasses information that is created or received by a covered entity via any medium—verbal, written, electronically or otherwise. This information includes the physical or mental health condition of an individual at any point in time. PII falls under the umbrella of health information since it has the potential to reveal an individual's personal identity, which could then be linked back to the health information created or received by a covered entity.
Examples Of PHI
Let’s look at some concrete examples of information that is considered PHI. If your business handles any of the information below in the service to, or on behalf of, a covered entity, then HIPAA compliance is not optional.
- Patient names
- Addresses — In particular, anything more specific than state, including street address, city, county, precinct, and in most cases zip code, and their equivalent geocodes.
- Dates — Including birth, discharge, admittance, and death dates.
- Telephone and fax numbers
- Email addresses
- Social Security numbers
- Driver’s License information
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certification/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Names of relatives
- Internet Protocol (IP) address numbers
- Biometric identifiers — including finger and voice prints.
- Full face photographic images and any comparable images.
Practically speaking, PHI can show up in a number of different documents, forms and communications, such as:
- Billing information from your doctor
- Email to your doctor's office about a medication or prescription you need
- Appointment scheduling note with your doctor's office
- An MRI scan
- Blood test results
- Phone records
Examples Of Data Not Considered To Be PHI
But not all personally identifiable information is PHI. For example, employment records of a Covered Entity and Family Educational Rights and Privacy Act (FERPA) records do not fall into the category of PHI because, despite the fact that they might contain personally identifiable information, it is not linked to health records that could compromise individual security.
In addition, some health information isn’t considered PHI because it isn’t personally identifiable or shared with a covered entity.
Examples of non-PHI data: - Number of steps in a pedometer - Number of calories burned - Blood sugar readings without personally identifiable user information (PII) (such as an account or user name) - Heart rate readings without PII
The test for PHI is pretty simple: if your device or application stores, records or transmits the user’s personally-identifiable health data to a covered entity then you are dealing with protected health information and need to be HIPAA compliant.
If you are building a wearable device or application that collects health information, but does not plan on sharing it with a covered entity at any point in time then you do not need to be HIPAA compliant. For example, the Nike Fuel Band does not track data considered protected health information because you can't transmit that data from the device to a covered entity.
No Safe Harbor For Accidental PHI
Penalties for HIPAA noncompliance are anything but lenient. Depending on the level of negligence, these fines can range from $100 to $50,000 for a single accidental violation, with a single violation due to willful neglect resulting in an automatic $50,000 fine. The fines and charges are broken down by type: “Reasonable Cause” and “Willful Neglect”.
Reasonable Cause fines can be anywhere from $100 to $50,000 per incident and does not involve any jail time. Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.
The maximum penalty for violations of an identical provision is $1.5 million per year. 2014 saw millions of patient records compromised due to breaches and millions of dollars in fines levied to the organizations who were responsible for protecting the data.
Unlike the Digital Millennium Copyright Act (DMCA), HIPAA does not include safe harbor for accidental storage or disclosure of PHI. The DMCA makes it easy for sites like YouTube to avoid being fined for hosting copyright material as long as those sites have a clear process for accepting and acting on content takedown requests. HIPAA has no similar rule. Therefore if your system houses PHI, even without your knowledge or consent, you are still liable under HIPAA.