What is PHI?

What is PHI?  I have been asked time and time again…”What is PHI?”.  My usual answer is “protected health information” but really…what is PHI?  Basically, it can be summarized by all patient data collected and maintained for the operation of the practice or business associate, and is protected from unauthorized disclosure.  HHS does make specific reference to 18 identifiers.  These identifiers are:

  • Name
  • Address, which included street, city, county, zip (more than 3 digits) or other geographic codes
  • Date of birth
  • Telephone number
  • Driver’s license number
  • email address
  • SSN
  • Medical Record Number (MRN)
  • Health plan beneficiary number
  • Account number
  • Certificate or license number
  • Any vehicle or device serial number, including license plates
  • Web address
  • IP address
  • Finger prints
  • Photographic images
  • Unique identifying number
  • Age

The 18 identifiers mentioned, whether individually or in combination, constitute PHI.  Please note that this data CAN be de-identified for research purposes or to release it to non-covered entities.  You can get more guidance on this from the HHS Office of Civil Rights (OCR).\

The Wikipedia definition of PHI –  Protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.

PHI is often sought out in datasets for de-identification before researchers share the dataset publicly. When researchers remove PHI from a dataset they do so in an attempt to preserve privacy for research participants.

What is PHI?