What is considered protected health information (PHI)?

According to the National Library of Medicine, the leading cause of personal health information leaks isn’t hackers—it’s poor security and negligence from individuals authorized to have it. In fact, unintentional insider threats account for more than twice of those caused by malicious intent, like cyberattacks¹.

This startling finding emphasizes the importance of keeping protected health information (PHI) under strict lock and key—not just for healthcare providers but also for employers. This is especially true if you manage your employees’ health benefits and are responsible for tasks like reimbursing their medical expenses through a health reimbursement arrangement (HRA).

But how do you know which employee health information needs protection, and how do you keep it safe? This article will explain what PHI is and how to stay compliant.

Takeaways from this blog post:

• Protected health information (PHI) is personally identifiable sensitive health data. The federal HIPAA Privacy Rule regulates PHI to ensure confidentiality and security.
• PHI can be in various forms, such as electronic health records, account numbers, and biometric identifiers. Covered entities must protect it to prevent unauthorized access.
• Employers and medical professionals can keep employees' PHI safe by implementing written privacy procedures, administrative safeguards, employee training, and encryption of electronic health records to prevent misuse of PHI.

What is protected health information (PHI)?

Protected health information (PHI) is the demographic information, medical histories, laboratory results, physical and electronic health records, mental health records, insurance information, and other data that a medical professional collects to identify an individual and determine appropriate care.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal protections for PHI. It outlines regulations for keeping individuals’ PHI safe and undisclosed to those not authorized to view it.

The HIPAA Privacy Rule protects “personally identifiable health information,” which the law considers PHI².

If health data includes any of the following identifiable information, it’s considered PHI:

• Names
• Birth dates and healthcare service dates (aside from the year)
• Telephone numbers
• Geographic data other than the state they live in, such as the street address, city, county, or ZIP code
• FAX numbers
• Social Security numbers
• Email addresses
• Medical record numbers
• Account numbers
• Health plan beneficiary numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Web URLs and IP addresses
• Device identifiers and serial numbers
• Internet protocol addresses
• Full-face photos and comparable photographic images
• Biometric identifiers (i.e., retinal scan, fingerprints)
• Any unique identifying number or code

• Adopt written PHI patient health privacy procedures
• Implement physical safeguards by designating a privacy officer
• Offer privacy rule requirements training to all your employees
• Encrypt and password-protect any electronic health records and hard drives as technical safeguards to prevent a breach
• Implement best practices so that you never use PHI when making employment or health benefits decisions, marketing, or fundraising

Some employers offer a health stipend instead of a formal health benefit. With a health stipend, you give your employees a fixed amount of money to purchase insurance and other healthcare products and industry services. You typically add this stipend to your employees’ paychecks as wages. Because the IRS considers the money extra income, it’s taxable at the end of the year.

With a health stipend, you can’t require your employees to submit documentation of what they used their stipend on, including premium payments they make to health insurance companies or other out-of-pocket medical expenses. You simply provide the stipend, and they can spend the funds on whatever they choose. Therefore, your employees’ PHI will be safe from prying eyes if you offer this type of health benefit.

However, stipends—unlike HRAs—don’t give employers much control over what their employees spend their benefit funds on. If you’re self-administering an HRA, you may come in contact with your employees’ PHI during certain times, such as reviewing their documentation for reimbursement requests. Any improper self-administration could result in fines or breaches.

With PeopleKeep’s HRA administration software, we review and securely store your employee’s documentation and help you navigate HIPAA compliance regulations so you don’t have to worry about PHI errors or self-administration pitfalls.

Conclusion

Understanding PHI and how to protect it can help you avoid hefty penalties for compliance violations. Staying on top of patient privacy rules and compliance regulations within the healthcare industry can seem daunting when offering a health benefit, but you don’t have to go it alone.

PeopleKeep’s HRA software and award-winning customer support team help thousands of organizations nationwide administer their HRAs compliantly with both state and federal regulations every day.

This article was originally published on September 23, 2021. It was last updated on June 21, 2024.

1. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9123525/

2. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html