Protected health information (PHI), also referred to as personal health information, generally refers to demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.
Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and revisions to HIPAA made in 2009's Health Information Technology for Economic and Clinical Health (HITECH) Act, covered entities -- which include healthcare providers, insurers and their business associates -- are limited in the types of PHI they can collect from individuals, share with other organizations or use in marketing. In addition, organizations must provide protected health information to patients if requested -- preferably in an electronic PHI format.
PHI is a commodity, too. Beyond its use to patients and health professionals, it is also valuable to clinical and scientific researchers when anonymized. For hackers, PHI is a treasure trove of personal consumer information that, when stolen, can be sold elsewhere or even held hostage through ransomware until the victimized healthcare organization sends a payoff.
How personal health information is used
By its very nature, healthcare deals with sensitive details about a patient, including birthdate, medical conditions and health insurance claims. Whether in paper-based records or an electronic health record (EHR) system, PHI explains a patient's medical history, including ailments, various treatments and outcomes.
From the first moments after birth, a baby today will likely have PHI entered into an EHR, including weight, length, body temperature and any complications during delivery. Tracking this type of medical information during a patient's life offers clinicians context to a person's health, which can aid in treatment decisions.
In the bigger picture, PHI can be stripped of identifying features and added anonymously to large databases of patient information. Such de-identified data can contribute to population health management efforts and value-based care programs.
Rules and regulations
HIPAA is the primary law that oversees the use of, access to and disclosure of PHI in the U.S. HIPAA also regulates who must adhere to these rules.
Organizations cannot sell PHI unless it is for public health activities, research, treatment, services rendered, or the merger or acquisition of a HIPAA-covered entity. HIPAA also gives individuals the right to make written requests to amend PHI that a covered entity maintains.
Partners or business associates of healthcare providers that sign HIPAA business associate agreements are legally bound to handle patient data in a way that satisfies the HIPAA Privacy and Security Rules. Business associates, as well as covered entities, are subject to HIPAA audits, conducted by the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR).
Health authorities originally intended for protected health information to apply to paper records. Since the passage of the HITECH Act and healthcare providers' subsequent implementations of EHRs and other modern health IT systems, HIPAA has increasingly governed electronically stored patient data because providers transitioned PHI from paper to electronic formats. While the HIPAA rules regulate paper and electronic data equally, there are differences between the two formats.
First, patients who submit a request for access to their data must have that request answered by a covered entity within the 30-day period, a timeframe that was created to accommodate the transmission of paper records. The disposal methods of PHI also vary between electronic and paper records. Paper files can be shredded or otherwise made unreadable and unable to be reconstructed. Electronic PHI should be cleared or purged from the system in which it was previously held.
Privacy and security standards
HIPAA splits PHI specifications among its Privacy and Security Rules. The privacy regulations govern how hospitals, ambulatory care centers, long-term care facilities and other healthcare settings use and share PHI. Meanwhile, the security provisions cover measures, including software, that restrict unauthorized access to PHI.
When it comes to PHI, CIO John Halamka advises: 'Give up on privacy.'
Covered entities must evaluate IT capabilities and the likelihood of a PHI security risk, but the types of technology aren't specified. Such actions would include steps to thwart hackers and malware from gaining access to patient data.
The new data privacy law in the European Union, known as the General Data Protection Regulation (GDPR), affects PHI on a wide scale. GDPR generally applies to health data, including genetics, so healthcare organizations that treat EU patients will need to be cognizant of GDPR's regulations about patient consent to process PHI.
Also, in March 2018, the Trump administration announced a new program called MyHealthEData, in which the government promotes the idea that patients should have access to their PHI and that such data should remain secure and private. The underlying point of MyHealthEData is to encourage healthcare organizations to pursue interoperability of health data as a way of allowing patients more access to their records.
A sometime-misinterpreted situation is that PHI privacy and security do not always move in tandem. While privacy under HIPAA necessitates security measures, it is possible to have security restrictions in place that do not fully protect privacy under HIPAA mandates, attorneys have noted. For example, if a cloud vendor hosts encrypted PHI for an ambulatory clinic, privacy could still be a liability if the vendor is not part of a business associate agreement. Under HIPAA, the vendor is responsible for the integrity of the hosted PHI, not just its security.
Also, PHI should not be confused with a personal health record (PHR), which a patient maintains and updates using services such as Microsoft HealthVault or Apple Health. PHR is generally overseen by patients themselves and, in terms of security, is akin to consumers guarding their own personal information, similar to credit card numbers. However, the lines between PHR and PHI will blur in the future as more digital medical records are accessed and shared by patients.