What is PHI… Really?

Computer Security & What is PHIUnderstanding Protected Health Information

Anyone who is treated in a medical facility or doctor’s office must sign HIPAA and privacy paperwork. Part of that paperwork acknowledges that you have received and understand the provider’s policy regarding PHI. Many patients sign forms without asking questions. Understanding what is PHI can help you protect your identity and confidential information.

What Is PHI?

PHI is an abbreviation for “protected health information.” Any element of data that could be traced back to an individual person is considered PHI. Data elements that are considered PHI include:

  • Names

  • Phone numbers

  • Social security numbers

  • Email addresses

  • Physical addresses

  • Account numbers

  • Health insurance identification or group numbers

  • Dates related to an individual, such as birth date, admission date, or date of death

  • Full-face photographs

  • Biometric identifiers such as fingerprints

  • License plate numbers or other vehicle identifiers

  • Driver’s licenses or certification numbers

Who Must Protect Your Information?

The Health Insurance Portability and Accountability Act — or HIPAA — requires that healthcare providers and covered entities protect PHI for all patients. Providers cannot release your records without your consent, and communication between providers and covered entities such as insurance companies must meet certain standards (including shredding confidential information when it’s no longer needed).

Electronic claims processes must be encrypted, for example. Any business partner that acts on behalf of the provider or a covered entity to provide medical services, bill claims, receive payment, or provide any other necessary service must sign agreements stating they will comply with HIPAA requirements for protecting your information. Understanding a provider’s policy regarding the release of your information to other entities ensures you’re aware of who might have access to sensitive medical records and personal data.

Use of Redacted Information

In some cases, information in your medical records may be used for research, statistics, or reporting purposes. In such cases, HIPAA requires that all personal identifying information be redacted from the records prior to the release of information. This means that a researcher might see that a 34-year-old woman had gallbladder surgery, but they would not be able to a name or any other specific information about the patient.

So, what is PHI? PHI is critical information to be safeguarded. How do protect it?