Question: I’m pretty sure I know what types of information constitute protected health information (PHI). I have never looked up an “official” definition of PHI types, however. Could you provide a list of the different types of information the Health Insurance Portability and Accountability Act (HIPAA) might consider PHI?
Pennsylvania Subscriber
Answer: If you want to go straight to the source, HIPAA has a page devoted to explaining its PHI parameters: https://www.hipaa.com/hipaa-protected-health-information-what-does-phi-include/.
Caveat: It’s a little technical, and it doesn’t lay out a list of all the types of PHI that exist. For an easier, if slightly less technical, list of potential PHI hotspots, we checked out truevault.com, a website dedicated to PHI security and HIPAA compliance.
According to truevault, health data is considered PHI if it is personally identifiable to the patient AND that information is disclosed to a covered entity (CE) during the patient’s treatment.
Truevault reports examples of PHI include, but are not limited to:
The Indiana University Knowledge Base goes a step further, laying out a list of “individually identifiable” PHI factors. These identifiers include, but are not limited to, a patient’s:
Takeaway: There are endless sources of PHI, so you need to be on the lookout for this info anywhere it might lurk in your dealings with CEs. It’s better to consider an unprotected item PHI if you’re unsure. That way, you know that the info will stay safe.