Protected Health Information


Protected Health Information (PHIor e-PHI) is Protected Data, and is defined by HIPAA as:[1]
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual,
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.[13] Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from Protected Health Information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

Protected Health Information generally, is PII as it relates to medical information.

Specific Identifiers#

Under the US Health Insurance Portability and Accountability Act (HIPAA), Protected Health Information that is linked based on the following list of 18 identifiers must be treated with special care:
  1. Names - First Name, Last Name
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone Numbers
  5. Fax numbers
  6. Email Address
  7. Social Security Numbers
  8. Medical ID Card or record numbers
  9. Health insurance beneficiary numbers
  10. Account Numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and Serial Number, including License Plate Number;
  13. Device identifiers and Serial Numbers;
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric data identifiers, including Fingerprint recognition, Retinal recognition and voice prints
  17. Full face Photography images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

De-Identified Health Information #

PHI is used in datasets by researchers share the dataset publicly. When researchers remove Protected Health Information from a dataset they do so in an attempt to preserve privacy for research participants. This is defined as:[1]
There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

Permitted Uses and Disclosures[1] #

A HIPAA Covered Entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
  1. To the Individual (unless required for access or accounting of disclosures);
  2. Treatment, Payment, and Health Care Operations;
  3. Opportunity to Agree or Object;
  4. Incident to an otherwise permitted use and disclosure;
  5. Public Interest and Benefit Activities;
  6. Limited Data Set for the purposes of research, public health or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
Read the official documentation for details.

A lot of Protected Health Information is also considered Personally Identifiable Information by most parties.

More Information#

There might be more information for this subject on one of the following: