Tools
Protected Health Information
Definition/Introduction
According to the Health Insurance Portability and Accountability Act (HIPAA), protected health information (PHI) is any health information that can identify an individual that is in possession of or transmitted by a "covered entity" or its business associates that relates to a patient's past, present, or future health. This data includes demographic information.[1] It also includes but is not limited to, electronic and paper transmission. The term "covered entity" refers to, but is not limited to, healthcare providers, insurance companies, and hospitals.[2][3] PHI includes demographic identifiers in medical records, such as names, phone numbers, and emails, as well as biometric information, such as fingerprints, voiceprints, genetic information, and facial images.[4]
Issues of Concern
Register For Free And Read The Full Article
Search engine and full access to all medical articles- 10 free questions in your specialty
- Free CME/CE Activities
- Free daily question in your email
- Save favorite articles to your dashboard
- Emails offering discounts
Learn more about a Subscription to StatPearls Point-of-Care
Issues of Concern
Protected health information must remain confidential because disclosing it to unauthorized recipients, intentionally or by accident, can have harmful consequences for patients. For instance, in correctional facilities, the improper disclosure of protected health information can potentially result in inmates assaulting other inmates with health conditions that carry a significant social stigma. Even upon their release, these individuals can face discriminatory treatment by the general populace that hampers their reintegration into public life. While transmitting PHI generally requires the patient's explicit consent, there are exceptions where it is transmittable without consent. For example, PHI can be disclosed without consent in a correctional facility for payment purposes and judicial proceedings. If there is a serious threat to a person's health or well-being, that can only be averted through disclosure.[5] Other circumstances when protected health information is transmittable without consent include public health purposes, like disease control, child abuse, and scientific research.[1][3]
Clinical Significance
Protected health information is clinically relevant because the circumstances surrounding its disclosure shape the interactions between patients and healthcare providers. For instance, when a patient happens to be a celebrity, healthcare providers must balance the patient's privacy needs with the public's "right" to know.[1] The increasingly widespread use of new medical technology further complicates interactions between patients and healthcare providers with respect to PHI. For instance, despite the rise of 3D printing in clinical care, there are no legal provisions in HIPAA relating to the potential privacy implications of 3D printing.[6] There are also no HIPAA regulations that adequately cover the transmission of Protected Health Information via text message.[7]
There are many ways that healthcare providers can take precautions to ensure that protected health information remains properly protected, to enhance patient care, and to preserve patient safety, particularly concerning electronic storage and transmission of PHI. Some standard procedures include data masking, encryption, and deidentification. Encryption is the equivalent of locking data in a vault and preventing anyone without the necessary digital key or certificate from accessing it. Data masking replaces sensitive data values with altered values that preserve the utility of the data set as a reference source. Encryption is more useful when attempting to protect data during transmission, while data masking is most useful when sharing data with an external organization. Deidentification systematically removes 18 pieces of identifying information, ranging from names and telephone numbers to biometric identifiers like finger and voice prints.[8][9] Internet communications can be secured through protocols like Secure Socket Layer and Transport Layer Security. Wi-Fi hotspots can be secured using virtual private networks to protect data.[10] Maintaining adequate safeguards against the unauthorized dissemination of PHI is paramount, given that the consequences of failing to do so range from financial penalties to imprisonment.[11]
Nursing, Allied Health, and Interprofessional Team Interventions
All healthcare team members have the same responsibility for protecting PHI. This includes clinicians, nurses, pharmacists, therapists, techs, office personnel, and other staff such as housekeeping and nutrition. That is why training and refresher courses on PHI are critical to patient privacy so that all team members can recognize PHI, know the boundaries involved, and identify and, if necessary, report breaches of patient privacy to the proper authorities.
References
Burkle CM, Cascino GD. Medicine and the media: balancing the public's right to know with the privacy of the patient. Mayo Clinic proceedings. 2011 Dec:86(12):1192-6. doi: 10.4065/mcp.2011.0520. Epub [PubMed PMID: 22134938]
Goldstein MM, Pewen WF. The HIPAA Omnibus Rule: implications for public health policy and practice. Public health reports (Washington, D.C. : 1974). 2013 Nov-Dec:128(6):554-8 [PubMed PMID: 24179268]
Colorafi K, Bailey B. It's Time for Innovation in the Health Insurance Portability and Accountability Act (HIPAA). JMIR medical informatics. 2016 Nov 2:4(4):e34 [PubMed PMID: 27806923]
Bowman MA,Maxwell RA, A beginner's guide to avoiding Protected Health Information (PHI) issues in clinical research - With how-to's in REDCap Data Management Software. Journal of biomedical informatics. 2018 Sep [PubMed PMID: 30017974]
Goldstein MM. Health information privacy and health information technology in the US correctional setting. American journal of public health. 2014 May:104(5):803-9. doi: 10.2105/AJPH.2013.301845. Epub 2014 Mar 13 [PubMed PMID: 24625160]
Feldman H, Kamali P, Lin SJ, Halamka JD. Clinical 3D printing: A protected health information (PHI) and compliance perspective. International journal of medical informatics. 2018 Jul:115():18-23. doi: 10.1016/j.ijmedinf.2018.04.006. Epub 2018 Apr 13 [PubMed PMID: 29779716]
Level 3 (low-level) evidenceDrolet BC, Marwaha JS, Hyatt B, Blazar PE, Lifchez SD. Electronic Communication of Protected Health Information: Privacy, Security, and HIPAA Compliance. The Journal of hand surgery. 2017 Jun:42(6):411-416. doi: 10.1016/j.jhsa.2017.03.023. Epub [PubMed PMID: 28578767]
Motiwalla L, Li XB. Developing Privacy Solutions for Sharing and Analyzing Healthcare Data. International journal of business information systems. 2013 Jan 1:13(2):. doi: 10.1504/IJBIS.2013.054335. Epub [PubMed PMID: 24285983]
Nettrour JF, Burch MB, Bal BS. Patients, pictures, and privacy: managing clinical photographs in the smartphone era. Arthroplasty today. 2019 Mar:5(1):57-60. doi: 10.1016/j.artd.2018.10.001. Epub 2018 Nov 12 [PubMed PMID: 31020023]
Filkins BL, Kim JY, Roberts B, Armstrong W, Miller MA, Hultner ML, Castillo AP, Ducom JC, Topol EJ, Steinhubl SR. Privacy and security in the era of digital health: what should translational researchers know and do about it? American journal of translational research. 2016:8(3):1560-80 [PubMed PMID: 27186282]
Vanderpool D, Hipaa-should I be worried? Innovations in clinical neuroscience. 2012 Nov; [PubMed PMID: 23346520]