Personal health information (PHI), also referred to as protected health information, generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and revisions to HIPAA made in 2009's Health Information Technology for Economic and Clinical Health (HITECH ) Act, covered entities -- which include healthcare providers, insurers and their business associates -- are limited in the types of PHI they can collect from individuals, share with other organizations or use in marketing. In addition, organizations must provide protected health information to patients if requested -- preferably in an electronic PHI format.
Organizations cannot sell PHI unless it is for public health activities, research, treatment, services rendered or the merger or acquisition of a HIPAA-covered entity. HIPAA also gives individuals the right to make written requests to amend PHI that a covered entity maintains.
Partners or business associates of healthcare providers that sign HIPAA business associate agreements are legally bound to handle patient data in a way that satisfies the HIPAA Privacy and Security Rules. Business associates, as well as covered entities, are subject to HIPAA audits, conducted by the U.S. Department of Health and Human Services' Office for Civil Rights (OCR).
HIPAA's rules for protected health information were initially mostly applied to paper records. Since the passage of the HITECH Act and healthcare providers' subsequent implementations of electronic health records (EHRs) and other modern health IT systems, HIPAA has increasingly governed electronically-stored patient data because providers transitioned PHI from paper to electronic formats. While the HIPAA rules regulate paper and electronic data equally, there are differences between the two formats.
First, patients that submit a request for access to their data can be answered by a covered entity within the 30-day period, a timeframe that was created to accommodate the transmission of paper records. The disposal methods of PHI also vary between electronic and paper records. Paper files can be shredded or otherwise made unreadable and unable to be reconstructed. Electronic PHI should be cleared or purged from the system in which it was previously held.