BOOK A CONSULTATION

What is considered protected health information (PHI)?

Written by: Elizabeth Walker
Share:
Published on August 22, 2022.

A study1 conducted by researchers from Michigan State University and Johns Hopkins University found that the leading cause for personal health information getting leaked isn’t hackers—it’s poor security and negligence from individuals who are authorized to have it in the first place.

This startling finding emphasizes the importance of keeping protected health information (PHI) under strict lock and key—not just for healthcare providers, but for employers, too. This is especially true if you have a hand in your employees’ healthcare benefit, like if you reimburse your employees’ medical expenses through a health reimbursement arrangement (HRA).

But how do you know which of your employees’ health information needs protecting, and how do you keep it safe? This article will explain what PHI is and what you can do to stay compliant.

Learn more about health reimbursement arrangements in our complete guide

What is protected health information (PHI)?

Protected health information (PHI) is the demographic information, medical histories, laboratory results, physical records, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal protections for PHI. It outlines regulations for keeping individuals’ PHI safe and undisclosed to those who aren’t authorized to view it.

Any personal health information that’s “individually identifiable” is protected by the HIPAA Privacy Rule2, and is considered “protected health information” or PHI.

If the data has any of the following identifiable health information included, it’s considered PHI:

  • Patient names
  • Birth dates and healthcare service dates (aside from the year)
  • Telephone numbers
  • Geographic data
  • FAX numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plates
  • Web URLs and IP addresses
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Any unique identifying number or code

It’s important to note that PHI applies to all past, present, and future health status information for all covered entities. It also applies to any form the information takes.

For example, when PHI is transferred, received, or saved in an electronic record, such as in an email, digital file, or on a computer, that’s called ePHI. All the HIPAA Privacy Rules still apply no matter what medium the information is on.

What isn’t considered protected health information?

Many people think that all health histories and related information is considered PHI under HIPAA, but some exceptions exist.

PHI is determined based on who records the information. For example, mobile health trackers—whether they be wearable devices or mobile apps on electronic devices—can record health information with common identifiers, such as heart rate or blood pressure.

However, this data would only be considered PHI under HIPAA if the information was recorded by a healthcare provider or was used by a health plan. If the device manufacturer or health app developer doesn’t have a business associate agreement with a HIPAA-covered entity, the information recorded isn’t considered PHI.

Data also isn’t considered PHI if it’s stripped of all personal identifiers that can tie the data back to an individual. If the identifiers are removed, the health information is referred to as de-identified PHI, and HIPAA Rules no longer apply.

How is protected health information used?

Most commonly, PHI is used to track medical information during a patient's life, so physicians have the background they need to understand a person's medical condition and administer proper patient care.

Clinicians and research scientists also use PHI to study healthcare trends. Anonymized PHI is also used to create value-based care programs that reward providers for providing quality healthcare services.

HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 limit the types of PHI healthcare providers, health insurance companies, and the business associates they work with can collect from people. Those regulations also limit what those companies can do with the data they receive, like how they can share it.

Who is subject to HIPAA’s rules about protected health information?

The HIPAA Privacy Rule applies to any HIPAA-covered entity, including healthcare providers, insurers, and healthcare clearinghouses. However, these rules also apply to employers if they somehow operate in one or more of those capacities—such as if they are administering a health benefit like an HRA.

HIPAA defines and limits the circumstances in which an individual’s PHI may be used or disclosed by covered entities. Through the Privacy Rule, an employer can’t use or disclose PHI, except as the Privacy Rule permits or requires, or as the individual who is the subject of the information (or the individual’s representative) authorizes it in writing.

What happens if protected health information gets leaked?

There are many ways for PHI to end up in the wrong hands. For example, a leak can happen if devices storing PHI are lost or stolen. Hackers and cybercriminals are interested in PHI because it contains personal and identifiable health information. Another way a leak could occur would be if someone at your organization accidentally disclosed an employee’s PHI to an entity without proper approval. Even something as simple as forgetting to shred documents can lead to a breach.

If any of the above happens, your organization can have hefty consequences. The penalties for HIPAA noncompliance are meant to fit the crime, so fines can range from $100 to $50,000 per individual violation, depending on the severity of the perceived level of negligence.

If the situation is really severe, some violations can even result in jail time for the ones responsible for the information getting out.

How do I keep my employees’ protected health information safe?

Even though your organization may not be a healthcare operation, you need to take PHI seriously as an employer. If you’re offering a health benefit like an HRA, it’s your responsibility to keep any of your employees’ PHI safe so that it’s not shared or viewed by those who aren’t authorized to see it.

Here are just a few ways to keep your employees’ PHI secure:

  • Adopt written PHI privacy procedures
  • Implement administrative safeguards by designating a privacy officer
  • Offer training to all of your employees in privacy rule requirements
  • Ensure any hard drives are encrypted and protected by passwords as technical safeguards to prevent a breach
  • Implement best practices so that PHI is never used for making employment or benefits decisions, marketing, or fundraising

What if I offer a health stipend?

Another option you have is offering at your organization is offering a health stipend. With a health stipend, you provide your employees with a fixed amount of money to purchase health insurance and other medical items and services. Your monthly contributions are typically added to your employees’ paycheck as wages and because the money is considered extra income, it’s taxable at the end of the year.

With a health stipend, your employees don’t submit documentation of what they used their stipend on directly to you. You simply provide the stipend and they’re free to spend the funds on what they choose. Therefore, your employees’ PHI will be safe from prying eyes if you offer a health stipend.

Conclusion

Staying on top of privacy rules and compliance regulations within the healthcare industry can seem daunting, but you don’t have to go it alone. PeopleKeep’s benefits automation software and award-winning customer support team help thousands of organizations nationwide administer their HRAs compliantly with both state and federal regulations every day.

This article was originally published on September 23, 2021. It was last updated on August 22, 2022.

1https://www.hcinnovationgroup.com/cybersecurity/news/13030905/study-internal-negligence-not-hackers-responsible-for-half-of-data-breaches

2https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

Originally published on August 22, 2022. Last updated August 22, 2022.
Share:

Comments

Additional Resources

View All Resources