Knowing and Understanding the Importance of Protected Health Information (PHI)

The term Protected Health Information (PHI) has been used since the introduction of the Health Insurance Portability and Accountability Act (HIPAA) in 1996). Yet there are still individuals and entities that do not have a full understanding of what Protected Health Information (PHI) is and encompasses. The lack of this knowledge has the potential to place you, your staff and your clinic at risk for HIPAA Compliance.

PHI is at the very core of the Health Insurance Portability and Accountability Act (HIPAA). It begins with understanding personally identifiable information. In order to appreciate the importance of protecting PHI, one should first know that the definition of health information is any information—verbal or recorded—in any form or medium that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

Health information becomes personally identifiable health information when it includes demographic information collected from an individual; is created or received by a health care provider, health plan, employer, or health care clearinghouse; and when it identifies the individual or relates to the individual’s past, present, or future physical or mental health or condition.

The underlying purpose of HIPAA is to ensure that the personally identifiable information in a patient’s health record is kept private and protected. HIPAA training should include constantly reviewing the 18 identifiers of PHI and much more. Your staff may fully know that a Social Security Number or address is an identifier but are they aware of the fact that items such as license plate numbers, photos and email addresses are also considered identifiers. Click here to see the full list of identifiers. Lack of knowledge is one of the most common ways for violations to occur, but it is certainly not an excuse for breaking the law. Because it can be so easy for a misstep to occur when proper training is not addressed, we encourage you to act in this area immediately.

Personally identifiable health information transitions into PHI and is regulated under HIPAA guidelines when it becomes:

1. Personally identifiable to the patient
2. Used or disclosed to or by a covered entity before, during, or after the course of care

Protected health information is individually identifiable health information transmitted or maintained in electronic media (aka ePHI) or any other form or medium. It excludes individually identifiable health information in education or employment records. Any information that has been de-identified (redacted)—or stripped of all individually identifiable health information and that does not identify or allude to an individual’s identity—is no longer considered PHI.

Placing your office at risk can be as simple as an incomplete redaction of patient records, not getting proper authorizations for restrictions of PHI or not understanding exactly what PHI is. As part of an effective HIPAA Compliance Program, safeguards are required, and policies should exist on identifying PHI along with consistent training on all matters HIPAA. Training on HIPAA guidelines, regulations and policies should be regular and ongoing. Remember that Compliance Programs are mandatory and should be updated and maintained regularly. How is the compliance in your office? Whether you have an existing program or need to start one, KMC University can help with every step of the process. Reach out to us today and we will immediately help you find and reduce any areas of risk.