Personal health information, or PHI for short, is the broad term used to encompass all health-related information that can be used to accurately identify an individual. You can use your imagination, but Table 1 below shows several different instances of what PHI can be.
| Names (First, Middle, Last) | SSN | Email Address | Physical Address | Health Insurance Account Numbers/Details |
| Medical History | Pictures of the Individual | Health Plan Numbers | Lab Tests | Drivers License Numbers |
| Birth Dates (except when only the year is present) | IP Addresses | Biometric Identifiers (voice, fingerprints, retinal) | Telephone Numbers | Vehicle IDs (License Plates) |
| Any other unique code | FAX numbers | Website URLs | Certificate number(s) | Device identifiers and serial numbers |
As you can see, these aren’t lumped into any specific category. That’s because once they’re all connected, they can uniquely identify an individual. However, not all of these categories need to have a value in order to identify the individual. In some cases, we may only need their name and physical address to uniquely identify them. But sometimes, we may only have their IP address and lab test results. The latter would be much more difficult to use to identify an individual, but this is still considered PHI by the HIPAA Rule because of the potential, when combined, to identify an individual if it fell into the wrong hands.
Essentially, anything related to your personal information and health can be lumped into a category we see above. However, revealing these instances wouldn’t be a violation if done by a non-CE, or anything not considered a covered entity. An example of personal health information would be my resting heart rate (RHR) or heart rate variance (HRV). My favorite fitness tracker is the WHOOP band, which tells you both of these numbers daily. My RHR is the rate at which my heart beats while my body is in a state of “rest,” or when I am asleep and in a comfortable state. My HRV is the variance of my heart rate. If I told you these numbers, this would not be a HIPAA violation. If WHOOP told you these numbers, it would not be a violation. If my hospital told you these numbers, it would be a violation of HIPAA.
Based on the example above, it’s important to know that an employer asking for proof of your COVID-19 vaccination is NOT a HIPAA violation. This is no different than a university requiring proof of vaccines for measles, mumps, or COVID-19. Your employer asking if you received a vaccine is not a violation. They do not intend to share that information with others and must properly secure it to adhere to the HIPAA Security Rule. I can’t stress enough, THIS IS NOT A VIOLATION!
RECENT REPORTED PHI BREACHES
5/26/2021 – LogicGate identified a security incident that potentially exposed the PHI of 47,035 individuals. This was caused by an unauthorized individual gaining stolen credentials for the AWS cloud storage servers. The files were decrypted by the attacker was able to view the customer data.
6/2/2021 – Temple University Hospital, Inc. experienced a breach of unauthorized access and information disclosure. This affected the PHI of 16,356 individuals.
5/28/2021 – Lafourche Medical Group experienced a breach, via email, where the PHI of 34,862 individuals was exposed. This incident was the result of a hacking incident in which no business associate was present and the company was the victim of a hack.
5/26/2021 – Aetna ACE experienced a breach in which 562 individuals were affected. Unauthorized access to hard copies of information allowed for the information to be inappropriately disclosed, in violation of HIPAA.
The above breaches show that no matter how large your company or how small the loss of information is, if you’re a covered entity or a business associate, you’re on the hook for anything that happens in your company.
SHORT RECAP
Any information that can uniquely identify you from other people would fall into the umbrella of PHI. Anything listed in the table above is a category of PHI. And occasionally, the definitions will be updated to stay current. So don’t fall behind! One of the best sources of information would be to read the HIPAA Journal if you want to know more!
We will go over the details around Covered Entities, Business Associates, and Hybrid Entities in another letter!
See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.
Once you understand how valuable your information is, then you can begin taking steps to keep it private.
[…] and storing health-related information that can be used to uniquely identify an individual. In the PHI letter, we discussed the 18 types of PHI you can learn about. All CE’s have to comply with the […]