What is considered protected health information (PHI)?

A study¹ conducted by researchers from Michigan State University and Johns Hopkins University found that the leading cause of personal health information getting leaked isn’t hackers—it’s poor security and negligence from individuals authorized to have it.

This startling finding emphasizes the importance of keeping protected health information (PHI) under strict lock and key—not just for healthcare providers but for employers, too. This is especially true if you have a hand in your employees’ healthcare benefits, like if you reimburse your employees’ medical expenses through a health reimbursement arrangement (HRA).

But how do you know which of your employees’ health information needs protecting, and how do you keep it safe? This article will explain what PHI is and how to stay compliant.

Learn more about health reimbursement arrangements in our complete guide

What is protected health information (PHI)?

Protected health information (PHI) is the demographic information, medical histories, laboratory results, physical and electronic health records, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal protections for PHI. It outlines regulations for keeping individuals’ PHI safe and undisclosed to those not authorized to view it.

Any “personally identifiable health information” is protected by the HIPAA Privacy Rule² and is considered PHI.

If health data includes any of the following identifiable information, it’s considered PHI:

• Names
• Birth dates and healthcare service dates (aside from the year)
• Telephone numbers
• Geographic data other than the state they reside in, such as the street address, city, county, or zip code
• FAX numbers
• Social Security numbers
• Email addresses
• Medical record numbers
• Account numbers
• Health plan beneficiary numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Web URLs and IP addresses
• Device identifiers and serial numbers
• Internet protocol addresses
• Full-face photos and comparable images
• Biometric identifiers (i.e., retinal scan, fingerprints)
• Any unique identifying number or code

It’s important to note that PHI applies to all covered entities' past, present, and future health status information. It also applies to any form the information takes.

For example, when PHI is transferred, received, or saved in an electronic record, such as in an email, digital file, or on a computer, that’s called ePHI. All the HIPAA Privacy Rules still apply no matter what medium hosts the information.

What isn’t considered protected health information?

Many people think all personal health histories and related information is considered PHI under HIPAA, but some exceptions exist.

PHI is determined based on who records the information. For example, mobile health trackers—whether they be wearable devices or mobile apps on electronic devices—can record health information with common identifiers, such as heart rate or blood pressure.

However, this data would only be considered PHI under HIPAA if a healthcare provider records information or a health plan uses it. If the device manufacturer or health app developer doesn’t have a business associate agreement with a HIPAA-covered entity, the data recorded isn’t considered PHI.

Additionally, data isn’t PHI if it’s stripped of all personal identifiers that can tie the data back to an individual. If the identifiers are removed, the health information is referred to as de-identified PHI, and HIPAA Rules no longer apply.

How is protected health information used?

Most commonly, PHI is used to track medical information during a patient's life, so physicians have the background needed to understand a person's medical condition and administer proper patient care.

Clinicians and research scientists also use PHI to study healthcare trends. Anonymized PHI also creates value-based care programs that reward providers for providing quality healthcare services.

HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 limit the types of PHI healthcare providers, health insurance companies, and the business associates they work with can collect from people.

Those regulations also limit what those companies can do with the data they receive, like how they can share it, so that patient privacy is kept secret.

Who is subject to HIPAA’s rules about protected health information?

The HIPAA Privacy Rule applies to any HIPAA-covered entity, including medical providers, insurers, and healthcare clearinghouses. However, these rules also apply to employers if they operate in one or more of those capacities, such as administering a health benefit like an HRA.

HIPAA defines and limits the circumstances in which covered entities may use or disclose an individual’s PHI. An employer can’t use or disclose PHI except as the Privacy Rule permits or requires or as the individual who is the subject of the information (or the individual’s representative) authorizes it in writing.

What happens if protected health information gets leaked?

There are many ways for PHI to end up in the wrong hands. For example, a leak can happen if devices storing PHI are lost or stolen. Hackers and cybercriminals are interested in PHI because it contains personal and identifiable health information.

Another way a leak could occur would be if someone at your organization accidentally disclosed an employee’s PHI to an entity without proper approval. Even something as simple as forgetting to shred documents can lead to a breach.

If any of the above happens, your organization can have hefty consequences. The penalties for HIPAA noncompliance fines can range from $100 to $50,000 per individual violation, depending on the severity of the perceived level of negligence.

If the situation is severe, some violations can even result in jail time for the ones responsible for the information getting out.

How do I keep my employees’ protected health information safe?

Even though your organization may not be a healthcare operation, you need to take PHI seriously as an employer. If you’re offering a health benefit like an HRA, it’s your responsibility to keep any of your employees’ PHI safe so that it’s not shared or viewed by those who aren’t authorized to see it.

Here are just a few ways to keep your employees’ PHI secure:

• Adopt written PHI patient privacy procedures
• Implement administrative safeguards by designating a privacy officer
• Offer training to all of your employees in privacy rule requirements
• Ensure any electronic health records and hard drives are encrypted and protected by passwords as technical safeguards to prevent a breach
• Implement best practices so that PHI is never used for making employment or benefits decisions, marketing, or fundraising

What if I offer a health stipend?

Some employers choose to offer a health stipend in lieu of another type of health benefit. With a health stipend, you give your employees a fixed amount of money to purchase insurance and other healthcare services.

You typically add monthly contributions to your employees’ paychecks as wages. Because the money is considered extra income, it’s taxable at the end of the year.

With a health stipend, your employees cannot be required to submit documentation of what they used their stipend on directly to you. You simply provide the stipend, and they’re free to spend the funds on whatever they choose. Therefore, your employees’ PHI will be safe from prying eyes if you offer a health stipend.

Conclusion

By understanding what PHI is and how to keep it protected, you can avoid hefty penalties for compliance violations. While staying on top of patient privacy rules and compliance regulations within the healthcare industry can seem daunting, but you don’t have to go it alone.

PeopleKeep’s benefits automation software and award-winning customer support team help thousands of organizations nationwide administer their HRAs compliantly with both state and federal regulations every day.

This article was originally published on September 23, 2021. It was last updated on March 13, 2023.

1. https://www.hcinnovationgroup.com/cybersecurity/news/13030905/study-internal-negligence-not-hackers-responsible-for-half-of-data-breaches
2. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html