Direct Mail

What is PHI (Protected Health Information) Under HIPAA?

By 2 June 2022February 1st, 2024No Comments
phi protected health information

A Comprehensive Guide to Knowing PHI (Protected Health Information) HIPAA

We have all heard the terms HIPAA and PHI, but some might not know what they truly mean. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 and ensures medical data security. It enhances efficiency in healthcare and protects patients’ privacy.

This medical data that we refer to is known as PHI—Protected Health Information. It includes a vast range of patient details that a hospital or other medical institutions tend to store in their database for several purposes.

phi protected health information

The PHI (Patient Health Information) HIPAA is a federal law that dictates numerous guidelines for using and sharing such sensitive data. Therefore, you need to check if your company is liable to follow these rules. Otherwise, you may have to pay hefty fines and remember, ignorance of the HIPAA laws does not work as a defence.

Hence, more and more businesses educate their staff members about HIPAA and PHI. It helps them understand what to do and avoid, keeping their operations legal.

It might sound hard to become HIPAA-compliant and follow all the regulations. But, it is worth it to educate yourselves and dodge any potential legal trouble.

Therefore, we have attempted to reveal what is PHI and how to secure it. Also, this blog includes the 18 identifiers of PHI that can help you become HIPAA compliant.

Let us dive in!

What is PHI Information?

Several organizations struggle with understanding the details covered under PHI. Thankfully, HIPAA specifies all the information you should consider as PHI and the necessary steps to protect it.

All identifiable health details that a HIPAA-covered entity collects uses, stores, maintains, and transmits are Protected Health Information. HIPAA-covered entities could be healthcare providers, insurance agencies, or healthcare clearinghouses. However, other businesses related to these institutions are also obligated to follow the rules of this data privacy law.

PHI includes a patient’s health information in every format- spoken, electronic databases, and physical records. It consists of past, current, and future healthcare details, from treatment programs to payment histories.

Knowing what is PHI can help you spot sensitive data immediately and treat it securely from the beginning. All health records, patient bills, test reports, diagnoses, etc., come under PHI. 

However, the scope of PHI does not restrict to a person’s health information. It also extends to their demographics such as name, licence numbers, birth dates, etc. Basically, anything that allows you to identify a person individually is PHI (Patient Health Information) HIPAA.

So, PHI comprises:

  • A patient’s mental and physical health conditions
  • The treatment that organizations provide to the patient
  • Details about the past, present, and upcoming patient payments for the provision of care that identifies the individuals directly or indirectly

For instance, a diagnostic report or lab invoice is PHI because these documents consist of the patients’ names and other similar identifiable data. On the contrary, a health survey that reports the average age of diabetes patients does not count as PHI. Though this survey collects information from healthcare records, it does not reveal the members’ identities. Thus, such data is not PHI (Patient Health Information) HIPAA.

What Are the 18 PHI Identifiers?

According to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Protected Health Information includes:

  1. Patient names (Includes a person’s initials, full name, or last name)
  2. Birth dates, excluding the years directly related to individuals

This identifier also comprises other dates such as date of admission, date of discharge, date of death, and exact ages of citizens older than 89 years.

  1. Telephone numbers
  2. Fax numbers
  3. Email addresses or any other contact information

Many companies believe that email addresses that don’t have the person’s name are not PHI (Patient Health Information) HIPAA. But, it is simple to find the individual by conducting a reverse email lookup or via social media. Even if these tools don’t give you a name, they help you find enough information to identify them. Hence, all email addresses with or without the patients’ names are PHI.

  1. Social security numbers
  2. Geographic data

All location-based identifiers smaller than states—apartment numbers, street names, municipalities, cities, etc. They do not include the starting three digits of ZIP codes if the unit formed by combining all the ZIP codes with the same digits covers more than 20,000 people. Also, these identifiers consist of the geographical units having 20,000 or fewer people whose ZIP codes have 000 in the beginning.

  1. Medical record numbers
  2. Licence or certificate numbers
  3. Serial numbers and device identifiers
  4. Web Uniform Resource Locators (URLs)
  5. Bank account numbers also count as PHI (Patient Health Information) HIPAA
  6. Internet Protocol (IP) addresses
  7. The health insurance or plan beneficiary numbers of patients they provide while receiving treatment
  8. Vehicle identifiers (including licence plate and serial numbers)
  9. Biometric identifiers (fingerprints, voice, retinal scans, etc.)
  10. Full face images and comparable photographs
  11. Other unique characteristics like identifying numbers or codes

A database having one or more of the above identifiers is classified as PHI (Patient Health Information) HIPAA. The HIPAA Privacy Rule provides restrictions on the uses and disclosures of such patient details.

However, you might face some accidental disclosures at times that are beyond your control. Fortunately, HIPAA has specific rules regarding incidental disclosures to protect you from paying penalties for unforeseen or uncontrollable factors. For instance, if a healthcare insurance provider recognizes a patient at your clinic when they visit you, your organization is not at fault. In this case, you are not in breach of the Privacy Rule even though you revealed your patient identity coincidently.

Who Uses PHI (Protected Health Information) HIPAA and Why?

Now that you know what is PHI information, you should also understand its use cases. So, here is a list of medical-related institutions that you can refer to as covered entities:

  • Healthcare providers who treat patients and conduct numerous financial and administrative transactions electronically fall under this category. It may be a hospital, dental clinic, physician practice, pharmacy, clinic, etc. Furthermore, HIPAA covers all healthcare specialties, including neurology, gynecology, dermatology, and cardiology.
  • Healthcare clearinghouses that receive patient data from medical institutions regularly. These clearinghouses process non-standard patient information to carry out specific tasks on behalf of the healthcare providers.
  • All healthcare insurance providers and health maintenance organizations (HMOs) should follow the PHI (Patient Health Information) HIPAA law. Furthermore, this category also extends to health plans, like:
    • Employer-sponsored medical plans
    • Government healthcare programs, including military plans, Medicaid, etc., are also included

Our next category of organizations covered under HIPAA is business associates. Business associates help covered entities with their healthcare functions according to a written contract—the business associate agreement (BAA).

All covered entities dealing with PHI (Patient Health Information) HIPAA should have a functional BAA to delegate responsibilities and hold the engaged business associates accountable. 

Here are some examples of business associates:

  • Independent transcriptionists who offer transcription services to doctors
  • HIPAA cloud storage service providers
  • Print and mail automation platforms like PostGrid
  • Claims processing administrators. 
  • Consultants that provide utilization reviews for clinics, hospitals, etc., are also prime examples

Hence, organizations spend tons of time understanding what is PHI for:

  • Providing adequate treatment to patients
  • Collecting patient data for administrational, operational, and marketing purposes
  • Offering payment assistance to healthcare institutions to recover debts from insurance companies and patients, etc.

Please note: Under the PHI (Patient Health Information) HIPAA law, a covered entity may act as a business associate for other organizations.

What Type of Patient Details Does Not Count As PHI?

Contrary to popular belief, all health data is not PHI (Patient Health Information) HIPAA. There are a few exceptions, but they are very subjective. Often, it depends on who collects and records the patient information.

For instance, consider health trackers that people install on their mobile devices or the physical ones they wear on their wrists. The trackers capture the person’s blood pressure or heart rate, which is considered PHI (Patient Health Information) HIPAA when a hospital or health plan provider uses them.

However, the HIPAA rules only apply to business associates and covered entities. Thus, the information that such app developers or device manufacturers record is not PHI unless HIPAA-covered organizations have a contract with them.

The same exception applies to employment and education records. A company may store the health information of its employees. But, such employment records do not count as PHI (Patient Health Information) HIPAA. Similarly, a business that stores the education records of a person or employee (including demographic and geographic data) is not dealing with PHI.

Under the HIPAA law, you can de-identify PHI by eliminating the identifiers that tie the data to individuals. Also, there must be a health-related connection between people and their personal information. For instance, the names and contact numbers in a phonebook are not PHI because they are not healthcare-related.

What Is the Difference Between PHI (Patient Health Information) HIPAA and EPHI?

EPHI stands for electronic protected health information and refers to patient data collected, stored, received, and transmitted electronically. There are specific guidelines to assess ePHI according to the HIPAA Security Law, and they include:

  • Media used for storing patient information:
    • External portable hard drives
    • Removable storage devices, like SD cards, DVDs, CDs, USB flash drives, etc.
    • Magnetic tape
    • PDAs and smartphones
    • Personal computers are used at the home, workplace, or elsewhere.
  • Ways of sharing data via DSL, cable network, wi-fi, modem, or Ethernet connections, including:
    • File transfers
    • Email

The prime difference between PHI (Patient Health Information) HIPAA and EPHI is the method of storage and transmission. The HIPAA Privacy Rule regulates PHI, whereas the HITECH Act and HIPAA Security Rule overlook the processing of ePHI.

More Things You Should Know About PHI (Patient Health Information) HIPAA

Below, we have listed some more facts or rules of HIPAA PHI that you should acquaint yourself with to get a better understanding of the topic:

PII, IIHA, and PHI Are All Different Terms

PII stands for Personally Identifiable Information that falls outside the medical context. Also, it has nothing specific to do with healthcare organizations or patient details.

IIHA is short for Individually Identifiable Health Information and means the same as PHI. Covered entities and business associates use these terms interchangeably because the HIPAA Privacy and Security Rules apply to them in the same manner.

Incomplete Patient Data Is Also PHI

Imagine if a patient walks into your clinic and gets a quick checkup, but the only data you have on them is “Mr. White, Medford.” The person neither revealed their full name nor mentioned their mailing address. So, are such incomplete details considered PHI (Patient Health Information) HIPAA?

The answer is yes—even incomplete or missing patient details are PHI under HIPAA. In the above example, we could have hundreds or thousands of Mr. Whites in Medford. But, HIPAA cannot speculate whether it is the name of just one person or thousands of people, which is why the rule applies to it usually.

Patients Need to Give Their Consent to their Healthcare Provider To Discuss Their Records With Their Employers

Companies cannot contact the healthcare providers of their existing and potential employees and ask for their health records. They need to ask employees to give explicit consent to their medical professional for doing so! Otherwise, the patient can sue the hospital or clinic under the HIPAA Privacy Rule.

Hence, though it is legal to discuss PHI (Patient Health Information) HIPAA with employers, you need the patient’s permission. But, there are a few details you are free to talk about with employers, of course, in a confidential setting. For example, suppose the employer acts as a middleman between the patient and their health plans. In that case, the conversation between the two parties is not PHI.

The USPS, Canada Post, and Other Mailing Companies Are Not Covered Entities or Business Associates

Courier companies like the USPS, FedEx, Canada Post, etc., merely transport items from one place to another. They do not have access to the PHI inside the mail pieces. Hence, they are not covered under HIPAA regulations and can operate freely.

However, you need to have a BAA with automated direct mail services like PostGrid that help you send your medical documents effortlessly. Fortunately, PostGrid is 100% HIPAA-compliant and strives to protect your PHI (Patient Health Information) HIPAA at all stages.

How Can You Safeguard Your PHI Database?

The Security Rule needs all covered entities to identify potential threats and develop ways to protect their PHI in advance. Hence, it is not enough to learn what is PHI information. You need a robust mechanism that enables you to comply with HIPAA.

You need to implement security features to ensure the availability, integrity, and confidentiality of Protected Health Information. HIPAA has not laid down technology-specific safeguards; hence, you can employ any privacy systems that suit you.

But, ensure that your safeguards protect your PHI in all physical, administrative, and technical ways. 

  • The technical aspect covers using technologies like firewalls and encryption software.
  • Physical safeguards require you to keep the paper-based records and devices containing PHI (Patient Health Information) HIPAA under lock and key.
  • The administrative security aspect includes limiting access to PHI to a few authorized staff members only. Also, consider conducting HIPAA awareness training for your team for a more unified approach toward becoming HIPAA-compliant.

How Can PostGrid’s HIPAA-Compliant API Help You Send Medical Documents Legally and Securely?

PostGrid’s direct mail solutions can help you send your marketing items and medical related letters to patients effortlessly. You need not worry about securing PHI (Patient Health Information) HIPAA or following the federal rules. With PostGrid, you can draft, print, and ship your mail pieces 50% faster and five times more efficiently.

Here are some examples of medical documents that you can produce and mail using our automated direct mail API:

  • Explanation of Benefits (EOB)
  • Patient statements
  • Medical statement inserts
  • Mental and physical health records
  • Test reports
  • Prescriptions
  • Discharge summaries
  • Consent forms
  • Notices and patient letters
  • Hospital and lab invoices
  • Explanation of Coverage (EOC)
  • Follow-up letters for patients
  • Appointment reminders
  • Patient or physician mailers, etc.

PostGrid for healthcare teams works excellently to save your time and money. Also, the best part is that we are compliant with several data security laws like HIPAA, PIPEDA, and SOC-2. Hence, you can protect PHI (Patient Health Information) HIPAA while boosting your mailing efficiency.

We also offer several features that can turn heads and make your mailing experience memorable, like:

  • Free letter templates
  • Address verification
  • CASS and SERP-verified addresses
  • Print and mail fulfillment
  • Per-piece tracking
  • Triggered campaigns
  • Monitoring and analytics
  • Flexible pricing
  • Dedicated customer onboarding
  • API Integrations, etc.

Wrapping Up

It may not be simple to secure PHI (Patient Health Information) HIPAA and conduct your day-to-day operations the right way. You need to understand and implement a pool of regulations, which can be daunting. 

Therefore, you can outsource most of your tasks, like claims processing, billing, payment collection, patient appointments, direct mailing, etc. It allows you to save enough time and effort to focus on complying with HIPAA.

Our automated direct mail solutions ensure that you don’t have to spend weeks of your precious time handling print jobs and logistics. Nor do you have to figure out methods to secure your mail pieces according to the HIPAA rules. PostGrid has got you covered!

Do you want to learn further about how PostGrid helps healthcare organizations deal with PHI (Patient Health Information) HIPAA while mailing? Talk to our sales team now!