Practice Management Alert

Reader Question:

Get Hip to Differing Types of PHI

Question: I’m pretty sure I know what types of information constitute protected health information (PHI). I have never looked up an “official” definition of PHI types, however. Could you provide a list of the different types of information the Health Insurance Portability and Accountability Act (HIPAA) might consider PHI?

Pennsylvania Subscriber

Answer: If you want to go straight to the source, HIPAA has a page devoted to explaining its PHI parameters: https://www.hipaa.com/hipaa-protected-health-information-what-does-phi-include/.

Caveat: It’s a little technical, and it doesn’t lay out a list of all the types of PHI that exist. For an easier, if slightly less technical, list of potential PHI hotspots, we checked out truevault.com, a website dedicated to PHI security and HIPAA compliance.

According to truevault, health data is considered PHI if it is personally identifiable to the patient AND that information is disclosed to a covered entity (CE) during the patient’s treatment.

Truevault reports examples of PHI include, but are not limited to:

  • Patient billing information,
  • An email from a patient about medication or a prescription they need refilled,
  • Results from an MRI scan, blood test, etc., and
  • Patient x-rays.

The Indiana University Knowledge Base goes a step further, laying out a list of “individually identifiable” PHI factors. These identifiers include, but are not limited to, a patient’s:

  • Name and address,
  • Elements (except years) of dates related to his care (including birth date, admission date, discharge date, date of death, and exact age),
  • Telephone and fax numbers,
  • Email addresses,
  • Social Security number,
  • Medical record number,
  • Health plan beneficiary number,
  • Account number,
  • Driver license number,
  • Vehicle identifiers and serial numbers, including license plate numbers,
  • Device identifiers or serial numbers,
  • Biometric identifiers, including finger or voice prints,
  • Full-face photographic images and any comparable images, and
  • Unique identifying number, characteristic, or code.

Takeaway: There are endless sources of PHI, so you need to be on the lookout for this info anywhere it might lurk in your dealings with CEs. It’s better to consider an unprotected item PHI if you’re unsure. That way, you know that the info will stay safe.