Protected Health Information
PHI stands for Protected Health Information. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.
Examples of PHI
Jan 11, 2015
HIPAA protected health information (PHI), also known as HIPAA data, is any piece of information in an individual's medical record that was created, used, or disclosed during the course of diagnosis or treatment that can be used to personally identify them.
Names. Identifying geographic information including addresses or ZIP codes. Dates (except for the year) that relate to birth, death, admission, or discharge. Telephone numbers.
Names, addresses and phone numbers are NOT considered PHI, unless that information is listed with a medical condition, health care provision, payment data or something that states that they were seen at a particular clinic.
PHI includes health records such as EHR/EMRs, lab test results, health histories, diagnoses, treatment information, insurance information and lists of allergies are all considered PHI, as are unique identifiers and demographic information.
Examples of health data that is not considered PHI: Number of steps in a pedometer. Number of calories burned. Blood sugar readings w/out personally identifiable user information (PII) (such as an account or user name)
Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule. HIPAA does not prohibit the electronic transmission of PHI.
It may be surprising that some of these items are PHI, such as IP addresses, however, the above-listed items are considered “individually identifiable health information.” This means that the information can be directly tied back to a specific patient.
Health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact ...
PHI is health information in any form, including physical records, electronic records, or spoken information. Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual identifiers.
Types of HIPAA Violations
Violation of Patient's Rights
Snooping is considered a breach under HIPAA. HIPAA provides three exceptions to the definition of “breach.” One exception applies when an employee of a covered entity accesses or uses protected health information unintentionally, but in good faith and within the scope of authority.
Impermissible uses and disclosures of protected health information. Lack of safeguards of protected health information. Lack of patient access to their protected health information. Lack of administrative safeguards of electronic protected health information.
Improper disposal of electronic media devices containing PHI or PII is also a common cause of breaches. Theft and intentional unauthorized access to PHI and PII are also among the most common causes of privacy and security breaches.
A PHI breach is unauthorized access, use or disclosure of individually identifiable health information that is held or transmitted by a healthcare organization or its business associates.
HIPAA violation: yes. Some say no but in reality, it's yes because someone can still be identifiable through the information. Even if it means displeasing colleagues for a few days, protect your patients' privacy and protect your unblemished name.
A hospital may disclose the necessary protected health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, and caregivers, without a patient's agreement.
Answer: Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient's care or payment for health care.
With respect to the safe harbor method, the guidance clarifies whether specific data need to be removed from a given data set before it can be de-identified. It notes that derivations of one of the 18 data elements, such as a patient's initials or last four digits of a Social Security number, are considered PHI.