Become a security expert
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
If you’re pursuing HIPAA compliance or you’re considering working with healthcare organizations, you’ve come across these three letters: PHI. Protected health information is at the core of HIPAA legislation, which was designed to better secure patients’ private data.
Understanding what PHI is and how it must be protected is imperative for achieving HIPAA compliance and avoiding violations.
Read on to discover what is considered PHI under HIPAA, get real examples of PHI, and learn what covered entities must do to protect this type of data.
PHI stands for Protected Health Information.
PHI under HIPAA covers any health data created, transmitted, or stored by a HIPAA-covered entity and its business associates. It includes electronic records (ePHI), written records, lab results, x-rays, bills — even verbal conversations that include personally identifying information.
PHI is protected by the HIPAA Privacy Rule, which requires covered entities and their business associates to safeguard protected health information. The Privacy Rule also gives patients greater control over who can access and share their personal health records.
Under HIPAA, a covered entity is an organization that provides medical treatment, payments, or operations. These include:
Covered entities are legally required to comply with HIPAA rules for protecting the privacy and security of PHI.
Business associates are organizations that provide services to a covered entity and have access to PHI, such as:
Covered entities and business associates must have a business associate agreement (BAA) in place to define responsibilities when it comes to safeguarding PHI. The BAA specifies what the business associate’s role is and requires it to comply with HIPAA rules.
The Department of Health and Human Services has defined 18 key identifiers of PHI. PHI covered under HIPAA includes:
Prescriptions, test results, diagnoses, treatment plans, billing and payment information — all of these are HIPAA PHI examples.
To determine whether something is considered PHI, ask three questions:
If the answer is yes to all three, it qualifies as PHI and is protected under HIPAA legislation.
HIPAA specifically applies to covered entities and their business associates. PHI that is created, stored, accessed, or transmitted by these organizations is protected under HIPAA regulations. But in the hands of another company, that same information is not considered PHI and does not fall under HIPAA.
For example, a health app that records heart rate, blood pressure or sugar, activity levels, or calorie consumption does not constitute PHI.
Here are a few other instances where health data is not considered PHI:
While HIPAA compliance requires organizations to take steps to protect PHI from unauthorized access, HIPAA rules do not list specific actions covered entities must take. This flexibility allows organizations to decide the measures that are most appropriate based on their size and function. A regional hospital system may have different requirements and controls in place than a small family clinic, for example.
Covered entities do have to put safeguards in place to protect PHI against breaches. The HIPAA Security Rule outlines different administrative, physical, and technical safeguards, such as access management policies, employee training, incident response plans, document shredding, and data encryption.
Fail to protect PHI under HIPAA rules, and you could be hit with a fine by the Department of Health and Human Services Office for Civil Rights. Violations can be costly — and not just in terms of money. A violation or breach can permanently damage your organization’s reputation and erode patient trust.
Here are a few common PHI violations to avoid:
PHI should only be viewed for treatment, payment, or healthcare operations. Any shared access to PHI must be authorized by the patient. You’ll also need to ensure PHI is securely and permanently destroyed when it’s no longer needed.
Part of managing PHI access is also responding promptly to a patient’s request for their medical records.
Covered entities and business associates may not sell PHI without authorization from the patient.
Organizations who knowingly disclose or sell PHI without proper authorization face a HIPAA violation fine of up to $50,000 and 1 year in prison.
While it’s common for healthcare providers to request access to a patient’s complete medical history, they may also request access to specific PHI. The Minimum Necessary Rule states that covered entities should only disclose PHI that’s directly relevant to the request.
In either case, PHI can only be disclosed to a third party with patient authorization, unless directly related to healthcare treatment, payment, or operations.
In the event of a breach of unsecured PHI, a covered entity must notify any affected individuals within 60 days. Failure to do so is a violation of the HIPAA Breach Notification Rule. Business associates who discover a breach are also required to notify the covered entity within 60 days.
HIPAA compliance ensures covered entities and business associates take tangible steps to protect sensitive patient data. And it motivates organizations to maintain and improve those security measures — or face costly violations.
Secureframe helps organizations of all sizes protect PHI by simplifying the HIPAA compliance process into a few key steps:
Learn more about how you can automate your HIPAA compliance today.