PHI stands for protected health information. This is any information in a medical record that can be used to identify an individual. PHI even includes the talks between doctors and nurses about treatment. Information like billing and individual’s identifiable information in health agency records also comes in PHI. HIPAA-covered entities are mostly healthcare providers, health plans, healthcare clearinghouses and their business associates or third-party service providers who have access to Protected Health Information. Under HIPAA privacy rule it is the responsibility of these organizations to protect, secure and safeguard the protected health information (PHI).
According to the Department of Health & Human Services´ Office for Civil Rights, PHI is defined as any potential data that can be used to identify a specific individual, their past, present or future healthcare, or the method of payment. With HIPAA privacy rule it is said that this personal health information of a patient should be a safeguard, and protected by the covered entities and this rule also gives an individual the right to access this information.
According to guidance from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), there are 18 unique identifiers that qualify as HIPAA protected health information (PHI) identifiers. These identifiers are listed as below:-
- Geographic data
- All elements of dates
- Telephone numbers
- FAX numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol addresses
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Full face photos and comparable images
- Any unique identifying number, characteristic or code
These eighteen unique identifiers are the core set of elements that individually or in combination can be used to uniquely identify an individual. The above list of these elements is used as a guideline to ensure privacy.
What is ePHI?
ePHI is electronic protected health information and this is the related to any PHI that is created, received, saved, or shared electronically by HIPAA-covered groups. ePHI is also covered under HIPAA privacy rule and this electronic data should also be protected like PHI by the covered entity. Electronic protected health information includes PHI on desktop, web, mobile, wearable and other technology such as email, text messages, etc.