Protected Health Information (PHI) is a cornerstone concept within healthcare and research, particularly in the United States. It’s crucial for anyone working with patient data to understand what PHI is, and how to handle it responsibly and legally. This article will delve into the definition of PHI, clarify what it includes and excludes, and outline why it matters, especially in the context of regulations like HIPAA.
Defining Protected Health Information (PHI)
In the realm of healthcare, Protected Health Information (PHI) refers to any data in a medical record or a designated record set that could potentially identify an individual. This information must be created, used, or disclosed during the provision of a health care service, such as when a patient receives a diagnosis or treatment. The Health Insurance Portability and Accountability Act (HIPAA) in the U.S. sets the standard for protecting this sensitive information, especially when it is used in research.
HIPAA regulations recognize the necessity for researchers to access and utilize PHI in certain situations to advance medical knowledge. However, it’s important to note that HIPAA’s stipulations are specifically triggered when research involves the use, creation, or disclosure of PHI that either becomes part of a patient’s medical record or is employed for healthcare operations like treatment, payment processes, or general healthcare administration.
For instance, studies that involve the review of existing medical records to gather research insights, such as retrospective chart reviews, directly deal with PHI. Similarly, research that generates new medical information during the study—for example, in clinical trials assessing new drugs or medical devices, where participant health conditions are diagnosed or monitored—and where this information is intended to be integrated into patient medical records, also falls under PHI regulations. Sponsored clinical trials that are required to submit data to the U.S. Food and Drug Administration (FDA) are a prime example of research involving PHI and therefore are governed by HIPAA rules.
It’s also worth mentioning the specific case of student health records at post-secondary institutions that receive funding from the U.S. Department of Education (DoED). Under the US Family Educational Rights and Privacy Act (FERPA), these records are classified as “education records.” For example, student health records from University Health Services (UHS) and Optometry Clinics are subject to FERPA, while health records of non-students are typically governed by HIPAA.
What Distinguishes PHI from Non-PHI?
It’s important to differentiate PHI from health-related information that, while personally identifiable, does not qualify as PHI under HIPAA. Some research studies might indeed use health-related data that includes personal identifiers like names or addresses. However, this data is not considered PHI if it is not associated with or derived from a healthcare service event (such as treatment, payment, operations, or medical records) and is not intended to be entered into medical records. This type of data is often referred to as “research health information” (RHI).
HIPAA regulations do not extend to RHI that is exclusively maintained in a researcher’s private records. However, it’s critical to remember that even when HIPAA does not apply, other regulations designed to protect human research subjects still remain in effect.
Examples of research that typically use only RHI, and thus are not subject to HIPAA, include:
- Studies utilizing aggregated data where individual identities are not discernible.
- Diagnostic tests where the results are not recorded in the patient’s medical record and are not disclosed to the individual being tested.
- Testing procedures conducted without the use of any PHI identifiers.
Certain types of basic genetic research might also fall into this category, particularly exploratory research aimed at identifying potential genetic markers or promoter control elements, provided it is not tied to clinical diagnosis or treatment. Conversely, genetic testing conducted for the purpose of diagnosing a known disease, or as part of a patient’s treatment and healthcare management, would be categorized as using PHI and would be subject to HIPAA regulations.
Furthermore, health information on its own, without any of the 18 specific identifiers defined by HIPAA, is not considered PHI. For example, a dataset containing only vital signs, without any identifying details, does not constitute protected health information. However, if this dataset of vital signs is linked with medical record numbers or any other identifier from the HIPAA list, the entire dataset immediately becomes PHI and must be protected according to HIPAA standards.
The List of 18 Identifiers Under HIPAA
HIPAA specifies 18 categories of identifiers that, if present in health information, classify it as PHI. These identifiers are:
- Names
- Geographical subdivisions smaller than a State (street address, city, county, precinct, zip code, geocodes), except for the first three digits of a zip code under specific conditions based on population density.
- All elements of dates directly related to an individual (except year), including birth date, admission date, discharge date, date of death; and all ages over 89 and elements of dates indicating such age, unless aggregated to age 90 or older.
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URLs
- Internet Protocol (IP) address numbers
- Biometric identifiers (finger and voice prints)
- Full-face photographic images and comparable images
- Any other unique identifying number, characteristic, or code (excluding codes investigators use to anonymize data)
De-identification and the Risk of Re-identification
To protect patient privacy while still enabling valuable research, HIPAA permits the de-identification of PHI. This involves removing all 18 identifiers. However, it’s critical to understand that even after removing these identifiers, data can still be considered PHI if there remains a reasonable basis to believe that the information could be used to identify an individual.
HIPAA’s de-identification standards require more than just removing the 18 identifiers. Any code used to replace identifiers in datasets must not be derived from information related to the individual, and the method for deriving these codes must not be disclosed. For example, using a subject’s initials to code data is not acceptable because initials are directly derived from their name. Furthermore, researchers must not have actual knowledge that the research subject could be re-identified using the remaining information.
In essence, even if all 18 identifiers are removed, if there’s a viable method to re-identify an individual from the remaining data, the information is still treated as PHI and falls under HIPAA regulations. This underscores the complexity of data privacy and the stringent requirements for handling health information in research and healthcare settings. Understanding what constitutes PHI and the rules surrounding its use is paramount for maintaining patient trust and adhering to legal and ethical standards in healthcare and research.
