What Does Personal Health Information (PHI) Mean?Personal health information (PHI) is a category of information that refers to an individual's medical records and history, which are protected under the Health Insurance Portability and Accountability Act (HIPAA). The protection of PHI includes a wide spectrum of ramifications for businesses and individuals. Show
Personal health information is also known as protected health information. Techopedia Explains Personal Health Information (PHI)The types of information categorized as PHI primarily include sets of medical indicators, such as:
For example, records showing a patient's procedures, lab tests or predisposition to a range of diseases fall under the PHI category. It can be tricky to establish a PHI designation because data may not be regulated by HIPAA, in terms of how much personal information is actually connected to the identity of a patient. In many cases, medical information that cannot be tied to a patient may not constitute PHI and may not be protected under HIPAA. The designation, use and protection of PHI relates to many issues in the modern world of medicine. In the years immediately following the enactment of HIPAA, PHI was primarily regulated in the context of businesses, like medical providers and health insurance companies. Recent HIPAA regulation changes mean that other kinds of businesses are now scrutinized for their handling of PHI. The U.S. Department of Health and Human Services (HHS) refers to these entities as "business associates", which may include:
The question what does PHI stand for is usually answered by a reference to the Health Insurance Portability and Accountability Act (HIPAA). However, the acronym PHI – which stands for Protected Health Information – does not appear in HIPAA in neither its short form nor long form. In fact – in the context of HIPAA – the first references to PHI were
not made until some years later, when the proposed Privacy Rule was published. The proposed Privacy Rule interchangeably used the terms “Protected Health Information” and “Individually Identifiable Health Information”, and the definition of PHI eventually settled as the protection of individually identifiable health information. Covered Entities and Business Associates subject to the HIPAA regulations must implement reasonable and appropriate measures to safeguard the privacy of PHI and
ensure it is not disclosed without authorization (from an individual) other than for disclosures permitted by the HIPAA Privacy Rule. This also applies to the subset of electronic PHI (ePHI) covered by the HIPAA Security Rule. What Information is Protected by the HIPAA Privacy RuleThe Department for Health and Human Services (HHS – the agency that enforces HIPAA Via its Office for Civil Rights) does not elaborate on what specific information is protected by the HIPAA Privacy Rule. Instead, it relies on Covered Entities and Business Associates to assess what information should be protected if it relates to:
HHS does state that individually identifiable health information should be protected “when there is a reasonable basis it can be used to identify the individual”; but, beyond suggesting identifiers such as name, address, birth date, and Social Security number – and noting that this information should be protected in electronic, paper, and oral formats, HHS doesn´t offer specific guidance. Consequently, compliance experts have suggested that the eighteen identifiers listed in the safe harbor de-identification standard ((§164.514) should be used as guide. This standard not only applies to identifiers that can identify an individual, but also those that can identify a relative, employer, or household member when the identifiers are maintained in the same record set:
The Disclosures of PHI Permitted by the HIPAA Privacy RuleThere are three types of disclosures permitted by the HIPAA Privacy Rule – required, permitted, and requiring authorization. Required disclosures are those required when an individual exercises their rights to access, correct or transfer PHI, or request an accounting of disclosures. Covered Entities are also required to disclose PHI to inspectors from the Office of Civil Rights during an audit or review. Permitted disclosures of PHI include disclosures for treatment, payment, or health care operations, and when a disclosure is for public health or benefit activities. Public health or benefit activities can include disclosures to law enforcement, reports of neglect or abuse, to comply with workers´ compensation laws, or when the disclosure is in response to a subpoena or other lawful process. All other disclosures of PHI require authorization from the patient. In most circumstances, a written authorization must be obtained, documented, and retained. However, the Privacy Rule allows for informal consent for uses such as inclusion in a hospital directory, or – if a patient is unable to give their informal consent – a Covered Entity can use their professional judgement to assume consent if the use or disclosure of PHI is considered to be in the best interests of the patient. The Importance of Understanding What Does PHI Stand ForThe reason why it is important to understand what does PHI stand for is that a “Minimum Necessary Standard” exists in the Privacy Rule. This Standard stipulates that only the minimum amount of PHI needed to accomplish the intended purpose should be disclosed. The failure to comply with this Standard is one of the most common reasons for patient complaints to HHS´ Office for Civil Rights. Subsequent to receiving a patient complaint, the HHS´ Office for Civil Rights will investigate and may require the Covered Entity to review its policies and procedures or comply with a corrective action plan. In extreme cases where the Covered Entity is a repeating offender who has failed to correct previous violations, the HHS´ Office for Civil Rights can impose a civil monetary penalty. Although in most cases, Covered Entities will not be fined for violations of the Minimum Necessary Standard, reviewing policies and procedures (and retraining workforces subsequent to a material change) and complying with a corrective action plan incurs indirect costs and disrupts operations. For this reason, it is important to train workforces on what does PHI stand for and when its use or disclosure is permitted under the HIPAA Privacy Rule. PHI: FAQWhat is the difference between Protected Health Information and Personally Identifiable Information?Protected Health Information has a specific meaning under HIPAA. It is any medical information that contains one of 18 HIPAA identifiers and is used in the payment for healthcare or other healthcare-related operations. PHI is a subset of Personally Identifiable Information (PII), which is any sensitive information that can be used to identify an individual. PII becomes PHI if it relates to a patient’s health status, if it is used in healthcare operations, or if it is created, maintained, or transmitted by a Covered Entity. What is the difference between PHI and ePHI?Electronic PHI (ePHI) is simply any PHI that has been created, stored, or transmitted electronically. It is subject to the same protections as PHI. ePHI is specifically protected under the HIPAA Security Rule. Is “Jane Smith” considered to be PHI?Yes, even generic names that are shared by thousands of individuals are considered to be PHI. This is because, even if a name is a common name, it can still be used to identify an individual. Additionally, it would be impractical for HIPAA to distinguish between “scales” of identifiability of PHI. The frequency of names changes through time and between different locations, so having different lists and applying different protections would be too difficult. What is “anonymization”?If PHI is stripped of the 18 identifiers that can be used to trace the identity of the patient, it is no longer considered to be PHI. What is considered to be “future” health information?Future health information can include treatment plans and prognoses. This is considered to be sensitive information as it could be used to discriminate against a patient in terms of their employment prospects, amongst other things. What are the 3 types of PHI?Examples of PHI
Addresses — In particular, anything more specific than state, including street address, city, county, precinct, and in most cases zip code, and their equivalent geocodes. Dates — Including birth, discharge, admittance, and death dates. Biometric identifiers — including finger and voice prints.
What does PHI stand for in mental health?HIPAA permits health care providers to disclose to other health providers any protected health information (PHI) contained in the medical record about an individual for treatment, case management, and coordination of care and, with few exceptions, treats mental health information the same as other health information.
What class does PHI stand for?Personal Information. Personal information is like it sounds and refers to information identifying the individual patient. Eight types of personal information fall under PHI, so you should keep these details safe when giving care. Names. Social Security numbers.
What does PHI stand for in HR?Ensuring the privacy of protected health information (PHI) isn't a top priority for many HR departments. They have so many other pressing concerns—such as attracting and retaining talent, managing disciplinary issues, and controlling costs—that maintaining security around employees' PHI often plays second fiddle.
|
