what is protected health information (phi)?

Protected Health Information

In a medical diagnosis, there is a lot of information that is collected about an individual. The details are not only medical-related but also individual-related. This information has to be kept very confidential. However, the medical data collected need to be passed to multiple entities for performing medical research on the community. This information sharing might lead to the medical information being traceable to individuals. The information in the wrong hands can cause a lot of damage to the individual. Hence the medical entities need to be very careful in collecting and storing the data.

There are three categories of information. They are:

Protected Health Information (PHI) is any medical record information used to identify an individual. This information was created, used, or disclosed in providing a health care service, such as a diagnosis or treatment. PHI is the definition used by the Health Insurance Portability and Accountability Act (HIPAA) that defines the patient information type that falls under the laws jurisdiction. Data from the individuals are collected using multiple devices.

Personal Health Information contains information that includes demographic, test results, laboratory results, mental health information. These are a few other types of information that is collected to provide patient care.

Personally Identifiable Information (PII) is referred to as any information that is maintained about an individual. Any one can use the information such as name, Social Security Number(SSN), date and place of birth, mother's maiden name can be used to trace an individual’s identity,

In many situations, Protected Health Information and Personal Health Information are interchangeably used. The PHI is a subset of PII that identifies a person in a medical record if the disease is rare. However, PII is any information that can be used uniquely to identify an individual.

For all healthcare organizations, the protection of patient privacy is of utmost importance. The HIPAA act of 1996 has created national standards to protect sensitive information from being disclosed without the patient consent or knowledge. The US Department of Health and Human Services issued the HIPAA rule standards addressing the disclosure of an individual health information (PHI) governed by the Privacy rule.

There are two types of entities that disclose information to external parties. They are Business associates and Covered Entities. Let us look at what these two are:

Business Associate

A Business Associate is a vendor or a subcontractor that has access to the PHI. A business associate discloses the PHI on behalf of the covered entity. For example, patient data can be shared through data transmission services and data storage services.

Covered Entity

A Covered entity is an entity or a person who provides treatment, payment, and operations in the healthcare sector. The entire gamut of healthcare providers, health plans, and healthcare clearinghouses fall in this category. These also include insurance, doctors, clinics, dentists, nurses, pharmacies, etc.

Now that we know the entities, we will look at the types of data that would be covered under PHI, and that would not be covered.

A few indicative types of data covered under PHI will be as follows:

  • Bills and prescriptions from your doctor
  • Request for a medication to a doctor
  • Scans, Medical reports
  • Medical test reports

The data that will not be covered under PHI will be as follows.

  • Blood sugar and BP levels captured by devices that are without any user name
  • Steps climbed; Calories burnt that need not be transferred to another device that is involved in patient care.

It goes without saying that PHI data will have to be given out to medical researchers and the government for a variety of reasons. Can the data be traced back to the individuals? If yes, it becomes an intrusion of privacy to individuals. We will now discuss how we will be able to mask the PHI data to ensure the privacy of individuals. There are two techniques. They are called Anonymization, Pseudo anonymization.

Anonymization is a technique where all identifying characters are delated.

Pseudo anonymization is a technique where all identifying characters are replaced with a code. We can use specific keys as a replacement. However, the person who knows the key may track the subject.

PHI and PII as defined by GDPR

PHI and PII as defined by GDPR

General Data Protection and Regulation (GDPR) aims to protect the privacy rights of EU citizens and protect their data. GDPR refers to the personal data relating to an identifiable natural person. The first category is called Personally Identifiable Information (PII) and Sensitive Personal Information (SPI).

The first category can be identified directly or indirectly by reference to identifiers such as names, Social Security Numbers (SSN) in the US, Driver license numbers in the UK, Codice Fiscal in Italy, to name a few. There are around 133 jurisdictions around the world that have data privacy laws. One hundred two of them are in jurisdictions outside the European Economic Area (EEA). There are no clear rules in hospitals on disclosing patient medical records for multiple applications in many developing countries.

The second category (SPI) refers to the information that does not identify an individual but is related to an individual and communicates private information. Sometimes, it could potentially harm an individual when made public. This information can be identified using biometric data, genetic information, sexual orientation, etc. The way to protect SPI is to add a data classification program to the overall security programs. What we mean by this is, we have to regulate data across the enterprise and ensure security controls are in place. The data should also be traceable and searchable as required by compliance regulations.

How does Data Breach happen at healthcare entities?

Data Breach in healthcare industry

Let us discuss how data breaches can happen because of the carelessness of employees. This can be Inappropriate conversations, misuse, or negligence in handling emails and hard copies. This could be in leaving the screens visible to the others and also not logging off computers.


To avoid data breaches, we have to ensure proper application and network security. We have to encrypt all the patient data. We have to implement the encryption both at rest as well as in transit. We will also have to ensure that the vendors are correctly handling patient data. We will also need to separate patient information from the available data. Finally, we have to provide on-going employee training to understand the best practices in the workplace.

To conclude, we have to ensure that we de-identify the data using proper standards when sending the data out. This method will ensure that re-identification of the data and tracking it back to an individual is impossible. We will discuss these two topics in the subsequent blogs.




Subscribe to our newsletter and know all that’s happening at Cabot.