If you are active in US healthcare, you probably know that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) safeguards protected health information, a.k.a. PHI. What is protected health information exactly?
- Protected Health Information Definition
- 18 Identifiers of PHI
- Research Examples of Protected Health Information
- Partners in PHI
Protected Health Information Definition
What is PHI? The reason that the concept of protected health information (PHI) exists is really to clarify the parameters of HIPAA. It delineates the specific type of data that is protected by the law.
Protected health information is any data contained within an electronic health record or other file that refers to a specific individual (see the 18 identifiers below) and that was produced or introduced while performing healthcare tasks such as examinations and therapies.
The provisions of HIPAA permit teams conducting studies to use electronic protected health information to advance medical understanding. However, according to UC Berkeley, information is only protected by the law if it is contained within an electronic health record that was used for any healthcare service.
HIPAA law is overseen by the Office of Civil Rights, an agency within the US Department of Health & Human Services. The OCR offers a definition of PHI health information as data pertaining to:
- A patient’s health status at any point in time;
- Any instance of care provided to a patient;
- Any billing data “for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.”
18 Identifiers of PHI
There are 18 elements of data that serve as identifiers, meaning that they are considered protected health information within the context of a healthcare service:
- Any part of a name;
- Any location information that is more specific than the state, such as street address, town, or county (however, there is an exception: you can use the first three numbers within a ZIP Code if “[t]he geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people” or if you replace the first three digits with 000);
- The months and days of any patient services or events (birthdate, date of treatment, etc.), although the year is unprotected. Specifically, any data showing that someone is 90 years or older is considered an identifier unless it is brought together under the single heading of 90 and above;
- Any telephone numbers belonging to the patient;
- Any patient fax numbers;
- Email addresses;
- Social Security numbers;
- The number identifying the record;
- Numbers associated with health insurance or plans;
- ID number for the account;
- Numbers associated with state registrations or licenses;
- Car tags or vehicle identification numbers;
- Any data related to particular computers, including serial numbers;
- URLs specific to individual patients;
- IP’s of patient devices;
- Anything classifiable as biometric and that identifies the individual, such as a fingerprint;
- Photographs in which the person’s face is visible; and
- Any other features or numbers that directly relate to the patient.
Research Examples of Protected Health Information
One way that protected health information is used by research teams is to look at the records of a certain group of people treated in a particular way for a diagnosed health condition – such as self-reported pain ratings of osteoarthritis patients six months after they were treated with total knee replacements (TKRs). In that case, PHI gives researchers a spotlight into the effectiveness of a particular approach.
Another scenario in which research must be compliant is when the study itself generates protected health information. That occurs when patients are delivered healthcare services as part of the study, such as diagnostic tests or breakthrough treatments that are being compared to traditional options. A specific example is a clinical trial that involves people with a certain health condition taking an experimental pharmaceutical, with the PHI submitted to the FDA for the drug’s application.
Now, keep in mind, the identifiers listed above are critical. Any health data that is not associated with one of those 18 elements is not classified as protected by the government. For instance, a dataset that contains medical readings is not federally protected just on the basis that the readings were taken. However, if a record is connected to a specific patient via inclusion of an account number, all data within that file is legally protected.
Just because you are conducting research does not mean that you are necessarily working with protected health information – in other words, you don’t always need to be concerned with HIPAA. Specifically, if you are conducting research with information that contains identifiers, it’s not protected data if it is unrelated to an interaction (such as patient care, transfer of records, or billing) that involves a patient’s electronic health records.
Partners in PHI
Hopefully the protected health information definition and examples above are helpful to understanding what you need to protect to be federally compliant. However, you also need to know what technology providers understand the needs of your organization.
“Atlantic.Net’s … financial strength and proven track record are something we view with great confidence,” Complete Healthcare Solutions Vice President Joseph Nompleggi has said of our partnership.
Get HIPAA Compliant hosting today and spin up a VPS Cloud Server in under 30 seconds!
By Moazzam Adnan