What Is Protected Health Information (PHI)?

Healthcare is a data-rich industry. These data are created across the entire healthcare ecosystem; they represent a wealth of information that can be used to ultimately lead to better patient outcomes. The amount of data generated is unprecedented.

Research from IDC has shown health data growth to be exponential: By 2020, the industry to will generate around 2,314 exabytes (EB) of data. Just to put that into perspective, 1 EB is equal to 1 billion gigabytes.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has created a specific definition of health data that requires protection under the auspices of the Privacy Rule. These data are referred to as Protected Health Information (PHI) and fall under the umbrella of “individually-identifiable health information,” “identifiable” being the operative word which we will talk more about later. The Privacy Rule also specifies which organizations or “covered entities” come under the ruling that are required to implement the requirements of the HIPAA Privacy Rule.

What Is Considered Protected Health Information Under HIPAA?

Any data that is created, collected or disclosed during interaction with healthcare services and that can be used to uniquely identify an individual is defined as Protected Health Information (PHI) under HIPAA. The key word here is “identify”: If a snippet of data or a data set associated with an interaction with a healthcare provider or associate can be used as an “identifier” to an individual, it is PHI.

PHI has 18 of these identifiers including names, zip code, medical record numbers, IP address, Social Security Number, and so on. (A full list can be found on the California Department of Health Care Services website or below, following the sources). If any of the identifiers are used in any disclosure, it will be deemed to be an identifying action. Even (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Susan Morrow. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/Ml41ygF2qq8/