PHI and ePHI is a subset of personally identifiable information (PII) that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.
Examples of health information include:
- Medical test results
- Prescription or treatment records
- Billing information
- Appointment scheduling information
When health information is combined with a personal identifier, the data becomes PHI.
The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:
- Name
- All geographic subdivisions smaller than a state (street address, city, county, zip code)
- Dates, including birthdate, admission date, discharge date, and date of death
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary numbers
- Account number
- Certificate/license number
- Vehicle identifiers and serial numbers, including license plate number
- Device identifiers and serial numbers
- Web URL
- IP address
- Biometric identifiers, including fingerprints and voice
- Full face photo
- Any other unique identifying number, characteristic, or code
This means that not all health information acquired by organizations is considered PHI. For example, phone numbers and residential addresses alone are not PHI. But this data will be considered PHI if it includes health information about an individual’s condition, the treatment of that condition, or the payment for the treatment. It also must be transmitted and maintained in any form by a covered entity.
Specific examples of PHI and ePHI include:
- Information your doctors, nurses, and other health care providers put in your medical record.
- Conversations your doctor has about your care or treatment with nurses and others.
- Information about you in your health insurer’s computer system.
- Billing information about you at your clinic.
Importantly, PII collected on a covered entity’s website or app is considered PHI even if the individual does not have an existing relationship with the entity or the PII does not include specific treatment or billing information. When a covered entity collects such information, it is indicative that the individual has received or will receive health care services or benefits from it.