Top Menu

HIPAA Security Reminder of the Week

What is PHI?

PHI is individually identifiable health information which is created or received by a health care provider, health plan, or health care clearinghouse. Such information relates to the past, present or future physical health, mental health or condition of an individual AND can be directly tied to an individual. PHI either identifies or could be used to identify the individual and has been transmitted or maintained in any form or medium (electronic, paper or oral).

What is the data that could be PHI? The regulations define 18 fields that can be used to identify individuals:

  1. Names
  2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89.
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locator (URL)
  15. Biometric identifiers, including finger or voice prints
  16. Full face photographic images and any comparable images
  17. IP address
  18. Any other unique identifying number characteristic or code

Action items the Information Security Officer must take:

  • Identify all the PHI and “where it lives” in the organization.
  • Identify all the PHI and “where it lives” outside of the organization.
  • Create an inventory of all information assets that create, receive, maintain or transmit PHI.
  • Complete a thorough, bona fide risk analysis of all ‘information assets’ to ensure that all threats, vulnerabilities and controls have been considered.