What is considered PHI under HIPAA?

May 23, 2024

Table of content(s)

1. Introduction 
2. What is PHI under the HIPAA rules?
3. Additional information on PHI under HIPAA
4. Where does Business Associated enter the equation?
5. What is a designated record set?
6. What are the possible uses and disclosures of PHI?
7. PHI and Individuals’ Privacy Rule Rights 
8. Conclusion 

PHI Under HIPAA stands for an individual’s health, treatment, and payment information maintained in the same designated record set to identify the individual or used with other information in the record set. This helps to identify the individual. HIPAA rules and regulations protect PHI. Individuals must use the PHI Guide and checklist to understand the essentials of protecting PHI. Explore more about PHI here in this blog.

What does PHI stand for?

PHI stands for Protected Health Information. It is different for different sources. Individuals often assume PHI is patient health data. But others believe it is from 18 HIPAA identifiers. To best explain what PHI is under HIPAA compliance rules, it is crucial to review the definitions section of the Administrative Simplification Regulations, starting with health information. 

Additional information on PHI under HIPAA

Health information involves the condition of the patient in the past, present, and future. It is identifiable health information when identifiers are included in the same record set. It is protected when it is maintained or transmitted in any form. 

The parties are not limited to health plans, health care clearinghouses, and qualifying healthcare providers that conduct electronic transactions. The Department of Health and Human Services (HHS) has published standards for this. You can find the standards in Subparts I to S available in the HIPAA Administrative Data Standards. 

Where does Business Associated enter the equation?

It is crucial that business associates be aware of the definition of PHI. This is because any individually identifiable health information created, received, maintained, created, or transmitted by a business associate in the provision of a service for or on behalf of a party is protected. 

You must comply with the Security and Breach Notification Rules while offering a service to or on behalf of a party. Depending on the nature of the service provided, businesses may need to comply with parts of the Administrative Requirements and Privacy Rule. This depends on the content of the Business Associate Agreement. 

What is a designated record set?

A designated record set is a group of records that a party maintains. This is the medical record and billing record for an individual. There are two things to understand from this definition. This is because the image identifies an individual who has been a past recipient of medical treatment. 

The second takeaway is that it is crucial to protect any identifying information about an individual that is not health or payment information but is included in the same designated record set. For example, it is necessary to protect a thank-you card that accompanies the baby picture. This includes the name of the baby, even though it does not include any information relevant to health or payment. 

What are the possible uses and disclosures of PHI?

The importance of PHI under HIPAA is that the HIPAA Privacy Rule states what uses and disclosures of PHI are necessary, permitted, or require written consent from the subject of the PHI. If the HIPAA-concerned party or the team members are not aware of what PHI is, and this leads to multiple HIPAA violations or the result of an OCR complaint or a fine from the OCR, there is an increased probability of reporting these incidents to HHS’ OCR.

On the contrary, when the concerned entities elects to make extra efforts to counter the risks of HIPAA violations or unsecured PHI leakages and places every single piece of information in place, this might lead to a sudden disruption of operational workflows. An example of a concerned party’s lockdown is when access controls protect information for transport arrangements. This stops transportation staff from getting the required information.

This way, concerned parties may understand what data is under HIPAA protection and what is not and then develop HIPAA-compliant policies and procedures, as well as train the staff to stay in compliance with the policies and procedures without omissions or disruptions. Attempting HIPAA compliance without first knowing what information falls under PHI information may lead to paying heavy penalties. This is why such entities should seek and use professional advice for compliance.

PHI and Individuals’ Privacy Rule Rights 

Individuals possess the otherwise inaccessible right to request sight of their PHI or request amendments if the PHI is not accurate or complete. In addition to providing access to and correction of requests, as well as an accounting of disclosures, concerned parties must be aware of the location of PHI and its duplicates across multiple designated record sets.

If a patient or plan member files a complaint to the Office of Civil Rights of the HHS for not getting copies of PHI as required, not getting copies within the stipulated time frame (currently 30 days, soon to be reduced to 15 days), or not getting a complete accounting of disclosures, the same department of HHS can take the case up. If the complaint is due to an organization’s lack of familiarity with what counts as PHI under HIPAA, it will probably trigger a HHS inspection. This may be costly in the case of both present and past PHI violations.

Conclusion 

PHI Under HIPAA has always been subject to the privacy rule, and the privacy rule can protect PII when it is part of the same record set. There are cases when PII is not located in the same designated record set. PII is not covered by the Privacy Rule (although it may be covered by state privacy laws).