We all know what “protected health information” (PHI) is, right? You know that HIPAA requires you to keep this information private and secure. However, it’s easy to assume we know what PHI means…but be gravely mistaken.

Some of us tend to think everything is PHI. Others think that only information related to a diagnosis is PHI. But you can’t rely on guesswork and you can’t afford to be mistaken. HIPAA doesn’t extend leniency for simply “not knowing” what counts as PHI, and there are serious consequences for violating HIPAA.

So, let’s challenge our assumptions about PHI and go back to the basics. This blog will review the ABCs of HIPAA protected health information.

Read to the end to access a downloadable PHI decision tree.

Venn diagram with overview of individually identifiable health information and protected health information.

This is a birds-eye view of IIHI and PHI. Read on for more detail, examples of PHI and non-PHI, and a PHI decision tree.

What is Individually Identifiable Health Information?

Individually identifiable health information (IIHI) goes beyond medical information about a person to include their demographics. IIHI meets these conditions:

  1. Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse.
  2. Relates to the past, present, or future physical/mental health or condition of a person; the provision of health care to a person; or the past, present or future payment for the provision of health care to a person.
  3. Identifies an individual or can be used to identify an individual.

In short, for medical information to be IIHI, it has to identify the individual to which it belongs.

What is Protected Health Information Under HIPAA?

According to the HIPAA Privacy Rule, protected health information is individually identifiable health information that is:

  1. Transmitted by electronic media (e.g. sent through email),
  2. Maintained in electronic media (e.g. stored on a server), or
  3. Transmitted or maintained in any other form or medium (which includes paper documents stored in physical locations).

All PHI is IIHI, but not all IIHI is PHI. This is because HIPAA does not protect all individually identifiable health information. The IIHI has to be transmitted or maintained in some form to be protected (PHI).

But what makes information identifiable?

Graphic of doctors and patients surrounded by health information

HIPAA Protected Health Information Identifiers

There are 18 identifiers that make medical information identifiable:

  1. Names (full name or last name and initial)
  2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
    • The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and
    • The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death. This includes all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security Numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers, such as serial numbers and license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal, and voice prints
  17. Full face photos and any comparable images
  18. Any other unique identifying number, characteristic, or code

When these identifiers can be used in combination with other health information to identify an individual, HIPAA considers it PHI. Consequently, if these identifiers are not present, the information is not identifiable. If you remove all identifiers, you have de-identified the information, and it is no longer PHI.

READ MORE: When Can I Disclose PHI?

Graphic of doctors and patients surrounded by health information

Examples of PHI and Non-PHI

In each of the following scenarios, both medical information and at least one identifying piece of information are present, making the medical information PHI:

  • You work at the dentist’s office. You open an email attachment that lists the patients scheduled for next week. You see their first and last names, phone numbers, appointment dates, and expected procedures. This email attachment is PHI because it contains three identifiers (names, appointment dates, phone numbers) and medical information (expected procedures).
  • As a patient, you walk into a clinic and see reports lying on the reception desk. You can see patients’ lab test results with their names and dates of birth. These reports are PHI because there is identifying information (names and DOBs) alongside the medical information (lab results). The clinic has also violated HIPAA by leaving PHI is plain view!

The following is not IIHI or PHI because no identifiers are attached to medical information or vice versa, making it impossible to identify the person:

  • You walk out of a hospital and find a piece of paper on the ground with a person’s name and admission date on it. These are two identifiers. However, the paper isn’t PHI because it doesn’t list the name of a hospital and may not represent a person’s medical treatment. The paper could’ve come from anyone, and the “admission date” could refer to many things besides hospital admission.
  • In the radiology department, you come across an X-ray of a hand. However, no information is attached to the image, making it impossible to know to whom it belongs. Therefore, the X-ray is not PHI; it is simply medical information.

We created a decision tree to help guide you through the process of determining whether a piece of information is protected by HIPAA. Download the decision tree below.

Click to open and download HIPAAtrek's PHI decision tree.

The HIPAAtrek platform helps practices and small hospitals create a fully customizable HIPAA management program. Learn how HIPAAtrek can help you navigate the complex world of HIPAA compliance. Contact us today.

Learn about Hipaa

Join the HIPAA Huddle

The HIPAA Huddle is a monthly meeting for compliance officers and others with HIPAA oversight responsibility to meet LIVE in a collaborative  environment to work through a single issue or discuss best practices.