personal health information

What Is the Legal Definition of Personal Health Information as It Pertains to HIPAA?

Do you have concerns about the safety of your personal health information? Today, personal privacy has risen to the forefront of many legislative arenas. Personal identifying information protection is becoming strictly regulated in many areas.

The California Consumer Privacy Act now protects all consumer’s unique identifiers. The goal is to prevent customer profiling and exploiting personal data. The healthcare industry has been a leader in the personal data privacy movement.

Healthcare institutions and professionals have practiced patient information confidentiality for over 30 years. All medical professionals learn to only share patient information on a need-to-know-basis. These rules became more formal with the passage of the HIPAA act.

Continue reading to learn about your rights according to HIPAA.

What Is HIPAA?

Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. This act serves to:

  • Guarantee insurance coverage when you change or lose your job
  • Decrease health care fraud and abuse
  • Establishes and enforces standards for handling protected or personal health information (PHI)
  • Protects PHI
  • Ensures that PHI remains confidential

All healthcare providers, organizations, and business partners must follow HIPAA rules. This includes creating and enforcing policies and procedures to keep PHI secure. This applies to the transfer, receipt, handling, and sharing of PHI.

Organizations should only use the minimum PHI needed to complete business tasks.

Definition of Personal Health Information

The U.S. Department of Health and Human Services defines PHI as all unique identifiable data. This may include:

  • Name
  • Addresses: street, city, county, zip code, and geographic subdivision smaller than a state
  • Specific dates: birth date, admission date, discharge date, death date, and exact age if over 89
  • Identifiable numbers: telephone, FAX, driver’s license, Social Security, medical record, account, certification, and health plan beneficiary
  • Vehicle identification numbers (VIN), license plate numbers, serial numbers, and device identifiers
  • Internet information: web URLs and IP addresses
  • Biometric data including finger and voice prints
  • Photographs or comparable full-face images
  • Anything that can provide a unique identification via a number, code, or characteristic

This PHI protection applies to all unique identifiers that are:

  • Transmitted via electronic media
  • Stored in electronic media
  • Stored on computers with internal hard drives used at work, home, or while traveling
  • Portable external hard drives or removable storage devices including USBs, CDs, and DVDs
  • iPods, PDAs, and smartphones
  • Wireless data transfer: modem, DSL, cable, email, or file transfer protocol (FTP)
  • magnetic tape
  • Transmitted or kept in any type of medium including paper or oral communication

There are exclusions to PHI protection. Education records are covered by the Family Educational Rights and Privacy Act (FERPA) regulation, not HIPAA. Records for an individual who died over 50 years ago isn’t protected.

Employment records held by a covered entity fall under these exemptions. A covered entity describes health plans, health care clearinghouses, or a healthcare provider.

Covered entities may send health information in an electronic format. This only applies when completing qualified transactions.

Definition of Individually Identifiable Health Information (IIHI)

IIHI describes a subset of health information. A healthcare provider, health plan, or health care clearinghouse may collect demographic data. This allows them to provide health care for an individual.

These providers use physical and mental health histories to create care plans. This is also used for billing purposes. These entities may not use the data for other purposes.

What Patients Need to Know About Their PHI

HIPPA requires that every patient receives a copy of your Privacy Policy. Invite patients to ask questions.

Parents need to know that you aren’t always allowed to share all the information with them. One example is a teenager who is pregnant or has a sexually transmitted disease.

HIPAA protects a minor’s privacy over the parent’s right to know. Educate the parents about the HIPAA rules related to their child’s privacy.

Tell patients that their medical information belongs to them. Thus, they may request to have access to their data. They can also determine if other family members may access their PHI.

HIPAA Required Training for Employees

All covered entities and business associates must train employees who work with PHI. This training must include regular training updates.

This means that not every employee will need the same training. Education must address their level of involvement with patients and their PHI. It’s important that everyone understand that patient information should remain confidential.

Even the housekeeper needs to understand patient confidentiality. Teach them not to discuss patients by name, room number, diagnosis, or other identifiers.

The key HIPAA privacy topics to cover in training include:

  • Identifying PHI
  • The “minimum necessary” rule: information is only shared on a need-to-know basis
  • Rules about disclosure of PHI
  • Importance of maintaining confidentiality
  • Importance of documenting any disclosures
  • Patient rights
  • Patient authorization

Training must always address the consequences of not following HIPAA regulations.

Is Your Business HIPAA Compliant?

Do you own or work in the healthcare industry? Is your business HIPPA compliant? Does the business have patient privacy policies to protect personal health information?

If you answered no to any of these questions, HIPAA Security Suite can help you become compliant. We provide comprehensive risk assessments, tailor documentation, and handle staff training.

The first step involves a risk assessment. We offer web applications, security and compliance appliances, and IT experts. They check your entire infrastructure to identify compliance issues.

Our Comprehensive HIPAA package provides examples of network configuration diagrams. This can help guide your compliance process. You will also receive sample policies addressing security, disaster, and privacy.

Your employee training is easily accomplished using our interactive online training modules. These courses cover the HIPAA laws, the definitions of PHI, and how to handle PHI. Managers can review the dashboard to track and document employee training.

Explore our Solutions Page today to learn more about the HIPAA Security Suite.

Leave a Comment

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top