What is Personal Health Information (PHI)?

Personal health information (PHI) is a form of personally identifiable information (PII). It’s any information that can be used to identify an individual that’s stored as part of their healthcare or insurance records. It’s such a critical term because the disclosure of such information to unauthorized parties could cause harm to the individual. In turn, this can greatly damage the reputation of any organization that has failed to adequately protect the person’s data.

Fully understanding the importance of protecting every individual’s health information can help healthcare organizations remain compliant and foster better patient relationships. 

Personal Vs. Protected Health Information

While some organizations may use the terms interchangeably, there are some differences between personal health information and protected health information. It’s critical that healthcare organizations understand these differences. Without this knowledge, it’s possible to inadvertently become non-compliant with data protection regulations by storing or utilizing patient details incorrectly.

Personal health information can include any aspect of data that could be used to identify that individual. However, it may only be indirectly related to their health records. For example, a person’s date of birth doesn’t necessarily impact the care they receive. However, it is a protected piece of information that could be used to identify them. Therefore, it falls under the umbrella of personal health information and requires the necessary security protocols.

How HIPAA Relates to Personal Health Information

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. It was put in place to prevent patient health information from being disclosed to unauthorized individuals or organizations. The HIPAA Privacy Rule is the primary way in which the guidelines of the HIPAA are enacted. This rule is titled, in full, as the Standards for Privacy of Individually Identifiable Health Information and details how organizations should limit the use of patient data to the minimum necessary. 

The HIPAA only applies to covered entities, which means any organization or healthcare provider that deals with patient information. So, the HIPAA wouldn’t apply to a landlord or automotive insurance provider in most cases, but a dentist or healthcare plan provider would be beholden to HIPAA privacy rules.

Covered entities include, but aren’t limited to:

• Individual and group healthcare plan providers

• Healthcare clearinghouses that transform data into different formats, for example, billing services and community health management systems

• Healthcare providers of all sizes and types

• Business associates and partners of healthcare-related organizations, such as third-party accountants or advisors

For organizations unsure if they need to adhere to the HIPAA Privacy Rule, there’s an official .gov checker on the CMS website. 

What Are Examples of Personal Health Information?

In order to adhere to the privacy rules surrounding personal health information, you need to understand what falls under that umbrella. Data from personal and medical records may all be classed as PHI, but particularly if it falls under one of these categories:

• Names, address, and pertinent dates such as birth date or procedure dates

• Contact details including phone numbers, email addresses, and fax numbers

• Social security numbers and Medicare beneficiary identifiers

• Medical record numbers

• Account numbers and serial numbers

• License or certificate numbers

• IP addresses

• Photographs with identifying characteristics

• Biometric identifiers of any type, including voiceprints and fingerprints

Any other data that can be used to identify the individual in question can also be covered by HIPAA rules. Breaches are dealt with on a case-by-case basis to determine the nature of the violation and possible consequences. Examples of data breaches include a medical professional opening medical records that they don’t need access to for personal reasons. For example, to see the medical history of a relative. 

Others could include incorrectly disposing of records, storing data without adequate security measures, or allowing medical personnel to access patient data from unverified devices, such as personal smartphones. Failing to log important information, such as a newly diagnosed medical condition or test results, could also constitute a misuse of PHI. 

The Importance of Protecting Personal Health Information

There are significant fines for organizations that fail to protect patient data. Over 374,321 HIPAA complaints have been logged with the HHS (U.S Department of Health and Human Services) since the Privacy Rule was introduced in 2003. Financial penalties or settlements for these total over $144 million. Entities found liable for these fines included hospitals, small medical offices, health plan providers, medical centers, and national pharmacy chains.

As well as being financially detrimental, being found guilty of HIPAA violations can seriously damage an organization's reputation. Members of a community will likely avoid a local healthcare provider if they believe their data is not safe there. Effective healthcare operations and processes are essential to avoid inadvertent unauthorized access of personal details. 

Primarily, though, the most important reason to keep details safe is for patient safety, well-being, and privacy. Digitally stored data in electronic health records (EHR) systems is at risk from hackers — a threat that’s increasing all the time. Organizations that fail to adequately secure their EHRs could put their patients’ data at risk of theft. Cybercriminals may threaten to share highly personal information if not paid off in digital currency. 

Common Uses of Personal Health Information

The use of names, addresses, and other personally identifiable information makes it quick and easy to access patient records. Accurate contact details ensure that patients can be kept up-to-date about their upcoming procedure or ongoing treatment plans.

Someone’s personal health information begins at birth, when the details of a newborn baby are entered into a hospital or clinic’s healthcare system. From this point onward, in a working system, all additional new and relevant data should be added to the same record or associated records. That data should then be easily accessible by authorized personnel, but impossible to access for anyone else.

Throughout an individual’s life, their health data may change frequently. Names, addresses, and contact details are common changes. Personal information is stored alongside the medical history and status of the patient. These will also change, with some people developing conditions, for example, diabetes. Others may overcome diseases like cancer. New diagnoses and treatment plans should all be recorded accurately. Mental health conditions will also appear here. All these aspects of healthcare data help ensure patient safety and well-being by allowing the next healthcare professional to give the best advice. 

PHI vs. ePHI

PHI can be stored in any format, from physical paper records to cloud-based folders. The term ePHI stands for electronic personal health information and refers solely to digitally stored data. While there may be concerns about the rise of cybercrime and data theft, ePHI is generally more secure, easier to transmit, and more accessible to patients. 

The privacy and security rule includes provisions to ensure patients have access to their data. Keeping everything in physical format only makes this challenging. Conversely, ePHI systems, whether that’s an insurance provider’s records or a hospital’s EHR system, can offer a secure portal or app to allow patients to access their data securely.

How TempDev Helps You Protect Patient Information

TempDev’s team of experienced developers, trainers, and consultants is on hand to help you ensure your EHR is up to the task of protecting PHI, while remaining accessible to patients as needed. With the right support for your NextGen systems, we can empower you and your patients to have better control over personal health information. 

Discover templates and streamlined processes for collating and storing patient information, plus the resources and tools necessary to ensure HIPAA compliance across all your systems and dashboards. 

Contact us here or by calling us at 888.TEMP.DEV to find out more about how we can help you understand the right safeguards for PHI while optimizing your clinical workflows and improving patient care.