Protected Health Information (PHI)
What is PHI?
Protected Health Information (PHI) is any identifying material that relates to an individual’s past, present or future health. This can include medical history, diagnoses, lab results, medication lists, and more.
The General HIPAAWhat is HIPAA?The Health Insurance Portability and Accountability Act (HIPAA) is a comprehensive piece of legislation enacted by the United States Congress in 1996.It serves as a vital safeguard for… Provisions (§160.103) define PHI as “individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.” One important distinction is that non-medical individually identifiable information (like a license plate number) can be considered PHI if it is kept in the same designated record set as identifying medical information.
While this information is vital to determining care, it is illegal to obtain or divulge by or to entities without the patient’s express permission. The HIPAA Privacy Rule is a set of federal standards explicitly prohibiting PHI use or disclosure by “covered entities” and “business associates” without the individual’s authorizationAuthorization in cybersecurity refers to the process of granting or denying access to resources based on an entity’s identity and level of privileges. In essence, it determines what actions a….
PHI, PII, and IIHI
While similar in nature, there is a distinction between Protected Health Information (PHI), Personally Identifiable Information (PII)What is Personally Identifiable Information (PII)?Personally Identifiable Information (PII) is data that can be used to distinguish an individual’s identity. These can include identifiers that pinpoint the person exactly, such…, and Individually Identifiable Health Information (IIHI).
- PHI: Information that could identify someone in a medical context. PHI is always protected under HIPAA.
- PII: Any information – medical or non-medical – that can be used to identify a person. This data can be sensitive or non-sensitive and is protected in some, but not all, cases.
- IHII: Medical information that could be used to identify a person, although not necessarily sensitive. It is the medical equivalent of PII.
However, the more general IHII can become PHI if it is transmitted or stored in any way, physical or digital.
The HIPAA Privacy Rule Protects PHI
The HIPAA Privacy Rule was issued by the US Department of Health and Human Services (HHS) to carry out the requirements of the Health Insurance Portability and Accountability Act (HIPAA). It not only specifies the “covered entities” to which PHI protection regulations apply but also sets forth standards by which individuals can exercise their rights to authorize the control and use of their information.
The burden of the Privacy Rule is to balance both the necessary flow of health information (promoting public well-being and quality healthcare) with personal patient privacy. Cases in which PHI can be used without the patient’s consent include treatment and payment, research (in a limited dataset), when needed by law enforcement, or to lessen the risk of a serious threat to health or safety, among other reasons.
In all other cases not otherwise specified, the use and attainment of PHI is expressly prohibited without authorization by the data’s owner.
The HIPAA Security Rule Protects ePHI
PHI can consist of information communicated orally, in handwritten form, or electronically. By contrast, electronic Protected Health Information (ePHI) includes all PHI created, received, maintained, or transmitted electronically only.
Under the HIPAA Security Rule, all covered entities are required to:
- Detect, prevent, and remediate all ePHI threats.
- Ensure the confidentiality, integrity, and availability of all ePHI.
- Certify compliance by their workforce.
PHI Cybersecurity
Threat actors value PHI in all its forms for its sensitive and highly protected nature. They can use the data to impersonate patients and perform acts of identity theftWhat is Identity Theft?Identity theft is a type of fraud in which an individual’s personal and sensitive information is stolen and used by someone else without the former’s permission or…, steal prescriptions, or simply hold the information for ransom until the healthcare provider makes the difficult choice of paying out or facing compliance fines, reputational damage, and patient endangerment.
An effective cybersecurity strategy is required to secure PHI from malicious threat actors, patients from data abuse, and covered entities along the healthcare supply chain from the consequences of PHI loss.
For more essential cybersecurity definitions, check out our other blogs below: