The acronym: PHI stands for Protected Health Information - not personal health information (although that’s in essense what it implies), not personally identifiable health information (I’ve seen it used although that would technically be PIHI) and I’m sure there are variants of this that you’ve heard as well.
The definition: Here’s the wikipedia definition. Protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. HHS provides an even simpler definition of PHI - individually identifiable health information transmitted or maintained in any form or medium by a Covered Entity or its Business Associate; the definition of a “business associate” has been extended with the HIPAA Omnibus rule that went into effect in 2013. This term “information” is interpreted rather broadly and includes any part of a patient’s medical record or payment history. The key here is this phrase “that can be linked to a specific individual”. Which is where the other acronym, PII (Personally Identifiable Information) - here’s the link to the wikipedia article on that - becomes relevant. The major difference between PHI and PII is that PII is a legal definition - i.e. PII is anything that could be used to uniquely identify an individual. PHI is a subset of PII in that a medical record could be used to identify a person - especially if the disease or condition is rare enough.
For information to be considered PHI, it must meet all of the following three conditions:
- The information is created, received, or maintained by a health provider or health plan.
- The information is related to past, present or future health care or payment for that health care.
- The information identifies a member or patient, or there is enough information to be able to identify the individual.
Health information that is not linked to an individual by one or more of the 18 HIPAA identifiers (see the next section) and for which there is no reasonable basis to believe that the information can be used to identify the individual is not protected health information.Individually identifiable health information ceases to be PHI 50 years after death.
PHI can be in oral, written or electronic form.
Protection of PHI
The core of the HIPAA regulations is to ensure that ownership of any and all medical data is retained solely by the individual. The individual can then decide to parcel out access to others - providers, family members, employers if needed or necessary or simply by preference of the record owner. Only an individual has the right to grant access to their medical data. This was mainly done for the following reasons:
- Privacy: Obviously we would prefer that our neighbor (or in some cases, family members) not know about whatever condition we might be suffering from or medication we are taking.
- Bias and discrimination: some conditions have some social stigma associated with it. The HIPAA PHI provisions ensure that employers and others do not have access to one’s medical record and use the information contained within to discriminate against the individual based on their health information.
Anonymization & De-identification
- Anonymization is a process by which PHI elements are removed or changed with the purpose of minimizing / removing the possibility of going back to the original data set. This involves removing all identifying data to create unlinkable data.
- De-identification under HIPAA occurs when data has been stripped of common identifiers by two methods: Remove the 18 elements listed above;
If another approach is used, ensure a statistically small / negligible risk of re-identification which is validated by a statistics expert (you have to love the interpretability of that rule).
Elements of PII
Obviously protection and privacy come into play once the individual can / has been uniquely identified. There are after all 25.8 million Americans who have diabetes. Which leads to the question of what data can be used to uniquely identify an individual. The generally accepted set of individually unique data elements include the following:
|1||Name||Well, of course i.e. first name, last name, maiden name combinations. One could argue that just any one of the above doesn't uniquely identify an individual after all "James" is a pretty common name. But it could be possible to identify an individual using a combination of data i.e. first name, zipcode, street address etc.|
|2||Geographic locators||Everything (street address, city, precinct, zipcode, lat long coordinates etc.) are considered PII. The first three digits of the zipcode are usually considered ok for use except in the case of certain zipcodes which cover a small population (less than 20,000). There are currently 17 zipcodes that fit that profile - 036, 692, 878, 059, 790, 879, 063, 821, 884, 102, 823, 890, 203, 830, 893, 556, 831. So three digit zipcodes are ok to be used except for the above listed ones.|
|3||Dates||Pertaining to significant events in an individual's life - birth, death, marriage, admission, discharge etc. Just the year is generally considered fine for use except in the case of the very elderly (>89 years of age; in which case they would be represented by an aggregate category e.g. =>90 )|
|4||Phone numbers||Well, of course.|
|5||Fax numbers||This is, IMHO, a carryover from the old days. Do you know a lot of people with a personal fax number? But, it does make sense.|
|6||Electronic mail addresses (email)||Check|
|7||Social Security numbers||Check|
|8||Medical record numbers||This is usually a "random" number and could be used if one also knew the institution that assigned it.|
|9||Health plan beneficiary numbers||This is your insurance card / member ID.|
|10||Account numbers||Bank numbers etc.|
|11||Certificate/license numbers||Drivers license, birth certificate number etc.|
|12||Vehicle identifiers and serial numbers, including license plate numbers||If it's good enough for the police to track someone down...|
|13||Device identifiers and serial numbers||Medical devices have unique serial numbers. Your computer's MAC id is unique as well.|
|14||Web Universal Resource Locators (URLs)||This is a bit murky but is in here to cover all possibilities. http://www.facebook.com isn't very unique. But if logged within a specific application, could indeed be very unique to an individual.|
|15||Internet Protocol (IP) address numbers||Your IP address can be used to easily identify your address. There are several free services that offer this (do a quick google search for address from ip and try this as an example|
|16||Biometric identifiers, including finger and voice prints||Don't forget retinal images.|
|17||Full face photographic images and any comparable images||Check|
|18||Any other unique identifying number, characteristic, or code||Re code - note this does not mean the unique code assigned by the system to code the data.|
These 18 elements are the core set of data elements that individually or in combination can be used to uniquely identify an individual. And, considering the fact that the above list of identifiers has fax numbers and not Twitter @usernames, Facebook IDs, or a host of other modern, more common identifiers, it’s clear that the PII list is not the most up to date and some more thought should go into recognizing and protecting identifiable information. However, since patient data is valuable in clinical trials, medical case studies etc., the above list is used as a guideline to ensure privacy.
What Does It Mean For You
You are expected to be able to:
- Recognize PHI that requires protection,
- Determine when it is permissible to access, use or disclose PHI, and
- Reduce the risk of impermissible access to, use or disclosure of PHI.
When it is permissible to access or use PHI?
Only access, use or disclose PHI if your job allows you access and that access is required for your job. In our case, this is rarely, if ever needed. The general approach should be that if a client sends you any such information without an explicit agreement in place, then delete it immediately without opening.
If for some reason, while providing support to a customer, you are able to view such information, do not copy, download, screenshot or retain access to any such data and report this immediately to your manager or our Chief Security Officer.
Minimum necessary PHI
The intention at every step should always be:
- To use or disclose/release only the minimum necessary to accomplish the intended purposes of the use, disclosure, or request.
- Requests from customer employees:
- Identify each workforce member who needs to access PHI.
- Limit the PHI provided on a “need-to-know” basis.
- Requests from Visible Health or any vendor doing business with customers who have PHI data:
- Given the business we are in, we should not have to request access to any PHI data
- If for some specific purpose, PHI data is requested, then you should limit the PHI provided to what is needed to accomplish the purpose for which the request was made and no more.
What Uses or Disclosures of PHI Are Permitted by Law?
This following section is for informational purposes only. As a general policy (there might be exceptions as continue to grow and evolve in services provided in which case, you will be explicitly informed), you, as an employee of Visible Health do not need access to PHI.
HIPAA allows covered entities (CE) to create, receive, access, use, or disclose PHI without patient authorization when the workforce member’s job duties involve certain activities. These activities include, but are not limited to:
- Health care treatment—the treatment team can use PHI to provide, coordinate, or manage health care and related services, including consultation between health care providers of an individual, and referral of a patient for health care from one provider to another provider for treatment. However, UNLESS the provider is directly involved in the care of the patient, and needs the information for treatment, a health care provider can not access, use, or disclose PHI for other purposes—such as to check on the health care status of a colleague or friend or family member, without the patient’s specific authorization.
- Health care or health plan payment —PHI can be used for premium payment, billing, claims management, utilization review, coordination of benefits, eligibility and/or coverage determinations, and collection activities.
- Health care or health plan operations—PHI can be used for quality assessment, case management, population-based activities such as disease management, accreditation, underwriting, legal and audit functions, fraud and abuse protection and compliance, and business management.
There are other uses and disclosures where patient authorization is not required, some are included below:
- Appointment reminders – PHI may be used to contact members and patients about appointments for health care and treatment.
- Business Associates – PHI may be used by contracted business associates to perform certain functions on a client’s behalf. Business associates must sign a business associate agreement and agree to safeguard PHI. In a Visible Health context, we enter into BAAs with all of our clients as we provide software solutions to them. However, we have put guideline and technology in place to minimize, restrict and in some cases, eliminate access to PHI. As a contractor, we may not copy, use, or disclose PHI for any purpose other than specifically allowed in our Business Associate contract. If you inadvertently access or disclose PHI in ways not allowed in your contract, the law requires you to immediately report the disclosure to your supervisor or contract manager, and your company to report the breach to our client.
If you are not sure about whether or not you can use or disclose PHI, check with your manager or the Chief Security Officer.