Lately, there’s been a lot of buzz about Protected Health Information (PHI), especially with concerns arising over what’s permissible to disclose. (Think vaccine status, anyone?) Let’s delve into precisely what constitutes protected health information and what doesn’t. Additionally, as technology progresses and electronic medical records become prevalent, a new category called electronic PHI (ePHI) has emerged, warranting exploration.
PHI: Under HIPAA regulations, PHI encompasses “any identifiable health information utilized, maintained, stored, or transmitted by a HIPAA-covered entity.” These entities typically include healthcare providers, insurance providers, or associates of HIPAA-covered entities, such as subcontracted services like medical coding companies.
As a result, any data linked to your health—whether it’s test results, medical history, or personal identifiers like your name or social security number—is classified as PHI. The inclusion of one or more of these identifiers renders the information PHI, necessitating adherence to HIPAA Privacy Rules for its security.
There are 18 specific categories of patient identifiers:
- Names
- Dates (excluding the year)
- Telephone numbers
- Geographic data
- Fax numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full-face photos and comparable images
- Biometric identifiers (e.g., fingerprints, retinal scans)
- Any unique identifying number or code
ePHI: ePHI functions similarly to PHI but encompasses information created, stored, or transmitted electronically. This includes systems operating with cloud databases or transmitting patient information via email. To ensure protection, specialized security measures such as encryption and secure backup are imperative. Several high-profile breaches of ePHI in recent years have resulted in substantial financial penalties ranging from six to seven figures.
Exceptions: Certain types of information do not fall under HIPAA rules as PHI or ePHI, and it’s crucial to recognize these exceptions. Sometimes, any medical-related information is erroneously grouped under PHI when it shouldn’t be. To ascertain whether information qualifies as PHI, consider the following guidelines:
- Who recorded the information? If self-recorded, such as on a smartwatch or app, it typically isn’t covered by HIPAA unless linked to a healthcare provider or insurance plan.
- Is the information part of your education or employment records? Since entities of this nature aren’t subject to HIPAA, information stored in these records—such as employer-kept allergy or vaccination records—isn’t considered PHI.
- Does it contain identifiers? If information is devoid of identifiers, as is often the case in population health or research data, it ceases to be classified as PHI.
The healthcare landscape relies heavily on information—comprising records, histories, forms, demographics, and reports. Managing HIPAA-compliant electronic forms can be a daunting task without the right partner. With virtual and telehealth communications becoming increasingly common, the electronic handling of sensitive ePHI is more vital than ever. Tectonic works with our health and life sciences customers to ensure that such data is safeguarded, user-friendly, and consistently secure.
Salesforce.com, a prominent figure in cloud computing, has finalized a deal to acquire Jigsaw, a wiki-style business contact database, for Read more
Salesforce Government Cloud public sector solutions offer dedicated instances known as Government Cloud Plus and Government Cloud Plus - Defense. Read more
Sprucing Up Your Salesforce Page Layouts: A Humorous Guide to Winning User Hearts and Ensuring Data Quality Sometimes, the simplest Read more
After doing their initial Sales Cloud implementation and SAP integration over 12 years ago, this company was only leveraging Salesforce Read more
