HIPAA

What is PHI, and who uses it?

Protected Health Information (PHI) is PPI (Protected Personal Information) with an aspect of healthcare treatment, payment, and healthcare operations (TPO) associated with it.

Connect 1:1 with an Expert
Healthcare GRC HIPAA What is PHI and Who Uses It

TPO data includes:

  • the individual’s past, present, or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

For example, Mr. Arthur Jones, born 2nd February 1995 is PPI.  Mr. Arthur Jones, born 2nd February 1995, had surgery in 2015 to repair a broken arm is PHI.  Mr. Jones paid for the surgery using his BC/BS account number 123456 is PHI.  The x-ray image of the broken arm, with Mr. Jones name and social security number on the film, is PHI.

There are 18 elements of PPI which, if connected with TPO data, should be considered as PHI:

  • Names
  • All geographical identifiers smaller than a state, except for the initial 3 digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic units formed by combining all zip codes with the same three initial digits contains more than 20,000 people or, if fewer than 20,000 people, the first three digits are changed to 000.
  • Dates (other than year) directly related to an individual.
  • Phone numbers.
  • Fax numbers.
  • Email addresses.
  • Social security numbers.
  • Medical record numbers.
  • Health plan beneficiary numbers.
  • Account numbers.
  • Certificate or license numbers.
  • Vehicle identifiers and serial numbers, including license plates.
  • Device identifiers and serial numbers. (Laptops, cell phones etc.)
  • Uniform Resource Locators (URLs)
  • Internet Protocol (IP) addresses.
  • Biometric identifiers.
  • Full face photographic images.
  • Any other unique identifying number, characteristic or code.

De-Identification of PHI

If those 18 identifiers are removed from the dataset, it is considered to be de-identified PHI.  This removal of identifiers is known as the Safe Harbor method.

The second method of de-identification is known as the Expert Determination method.  This requires a person with appropriate knowledge of, and experience with, generally accepted statistical and scientific principles and methods for rendering information not individually identifiable to use those principles and methods to determine the likelihood that an individual could be identified from the data under review.

Use and Disclosure of PHI

If an entity, or an individual, uses or discloses PHI, they can fall into one of the following categories:

Covered Entity

HIPAA-covered entities include health plans, clearinghouses, and certain health care providers as follows:

  • Health Plans. For HIPAA purposes, health plans include:
    • Health insurance companies
    • Health maintenance organizations (HMO)
    • Employer-sponsored health plans
    • Government programs that pay for health care, like Medicare, Medicaid, and military and veterans’ health programs
  • Clearinghouses. Organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.
  • Providers who submit HIPAA transactions, like claims, electronically are covered. These providers include, but are not limited to:
    • Doctors
    • Clinics
    • Psychologists
    • Dentists
    • Chiropractors
    • Nursing homes
    • Pharmacies

Business Associate

If a covered entity engages a business associate to help carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that:

  • Establishes specifically what the business associate has been engaged to do
  • Requires the business associate to comply with HIPAA

Examples of business associates include:

  • Third-party administrator that assists a health plan with claims processing
  • Consultant that performs utilization reviews for a hospital
  • Health care clearinghouse that translates a claim from a nonstandard format into a standard transaction on behalf of a health care provider, and forwards the processed transaction to a payer
  • Independent medical transcriptionist that provides transcription services to a physician

PHI Summary

All entities that use and disclose PHI are subject to compliance with HIPAA legislation.

Next Steps

Connect 1:1 with a PHI Expert


Our team members undergo extensive training, participate as industry thought leaders, and have earned industry certifications, including CMS Auditor Regulatory and Compliance Standards, CMS FWA, EDE Security and Privacy Audit Standards, EDE Business Audit Standards, CISSP, CCSFP, HCISPP, CCSK, RHIA, CHPS, CIPM, CCSK, AWS CCP, CCSK, HITRUST CCSFP.
Would you like to receive periodic updates regarding cybersecurity and compliance from Coalfire? Coalfire will process your personal data in accordance with our Privacy Policy.