This is question many doctors, chiropractors, dentists and other covered entities ask themselves. You'll hear the term “Protected Health Information” or “PHI” a lot when reading about the Health Insurance Portability and Accountability Act of 1996. It's somewhat of a catch-all term used to describe any file, document or other media that contains personally identifiable health information. For a better understanding of PHI and how it's used, keep reading.
The HIPAA Privacy Rule defines PHI as “individually identifiable health information” that's held, used and/or transmitted by a covered entity or business associate. It's a common assumption that PHI only refers to digital files, but this simply isn't true. PHI may come in the form of digital files, paper files, videotapes, audio takes, and any other medium. So don't assume the HIPAA Rules don't apply to your practice's files just because they are in paper format.
In other words, Protected Health Information is any document or media – paper or digital format – that contains information about the patient's identify. This may include, but not limited to, the patient's physical health condition, the patient's mental health condition, provisions of healthcare to the patient, the patient's name, the patient's address, the patient's date of birth, social security numbers, etc.
Just because a document contains information about health conditions doesn't necessarily make it PHI. A document outlining the average demographic for health insurance customers, for instance, does not contain any personally identifiable elements; therefore, it's not PHI and is excluded from the HIPAA Rules which dictate such documents.
As noted by the Health and Human Services (HHS) website, neither the employment records of a covered entity nor the Family Educational Rights and Privacy Act (FERPA) records constitute PHI.
While keeping PHI safe by following the HIPAA Security, Privacy and Administrative Rules are one solution to avoiding violations, another is to “deidentify” the information. As the name suggests, this involves removing any personally identifiable elements from the document, such as names, addresses, social security numbers, and the other aforementioned elements.
There's a great deal of confusion amongst covered entities regarding what's Protected Health Information and what's not. If a document only contains patients' zip codes, the entity may assume it's not PHI. But in reality, any demographic information is PHI. This is one instance where it's best to play it safe by treating all documents with personally identifiable elements as PHI.