NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.
StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2024 Jan-.
Sasank Isola ; Yasir Al Khalili .
Last Update: January 30, 2023 .
According to the Health Insurance Portability and Accountability Act (HIPAA), protected health information (PHI) is any health information that can identify an individual that is in possession of or transmitted by a "covered entity" or its business associates that relates to a patient's past, present, or future health. This data includes demographic information.[1] It also includes, but is not limited, to electronic and paper transmission. The term "covered entity" refers, but is not limited to, health care providers, insurance companies, and hospitals.[2][3] PHI includes demographic identifiers, in medical records, like names, phone numbers, emails, and biometric information like fingerprints, voiceprints, genetic information, and facial images.[4]
It is imperative that protected health information remains confidential because disclosing it to unauthorized recipients, whether intentionally or by accident, can have deleterious consequences for patients. For instance, in correctional facilities, the improper disclosure of protected health information can potentially result in inmates assaulting other inmates with health conditions that carry a significant social stigma. Even upon their release, these individuals can face discriminatory treatment by the general populace that hampers their reintegration into public life. While transmitting PHI generally requires the patient's explicit consent, there are exceptions where it is transmittable without consent. For example, in a correctional facility setting, PHI can be disclosed without consent for payment purposes, judicial proceedings. If there is a serious threat to a person's health or well-being, that can only be averted through disclosure.[5] Other circumstances when protected health information is transmittable without consent include public health purposes, like disease control, child abuse, and scientific research.[1][3]
Protected health information is clinically relevant because the circumstances surrounding its disclosure shape the interactions between patients and healthcare providers. For instance, when a patient happens to be a celebrity, health care providers must balance the patient's privacy needs with the public's "right" to know.[1] The increasingly widespread use of new medical technology further complicates interactions between patients and healthcare providers with respect to PHI. For instance, despite the rise of 3D printing in clinical care, there are no legal provisions in HIPAA relating to the potential privacy implications of 3D printing.[6] There are also no HIPAA regulations that adequately cover the transmission of Protected Health Information via text message.[7]
There are many ways that healthcare providers can take precautions to ensure that protected health information remains properly protected, to enhance patient care, and preserve patient safety, particularly concerning electronic storage and transmission of PHI. Some standard procedures include data masking, encryption, and deidentification. Encryption is the equivalent of locking data in a vault and preventing anyone without the necessary digital key or certificate from accessing it. Data masking is the replacement of sensitive data values with altered values that nonetheless preserve the utility of the data set as a reference source. Encryption is more useful when attempting to protect data during transmission, while data masking is most useful when sharing data with an external organization. Deidentification is the systematic removal of eighteen pieces of identifying information, ranging from names and telephone numbers to biometric identifiers like finger and voice prints.[8][9] Internet communications can be secured through protocols like Secure Socket Layer (SSL) and Transport Layer Security (TLS). Wi-Fi hotspots can be secured using virtual private networks (VPN) to protect data.[10] Maintaining adequate safeguards against the unauthorized dissemination of PHI is of paramount importance, given that the consequences of failing to do so range from financial penalties to imprisonment.[11]
All members of the healthcare team carry the same responsibility when it comes to protecting PHI. This includes clinicians, nurses, pharmacists, therapists, techs, office personnel, and even other staff such as housekeeping and nutrition. That is why training and refresher courses on the topic of PHI are critical to patient privacy so that all members of the team can recognize PHI, know the boundaries involved, and identify, and if necessary, report breaches of patient privacy to the proper authorities.
Burkle CM, Cascino GD. Medicine and the media: balancing the public's right to know with the privacy of the patient. Mayo Clin Proc. 2011 Dec; 86 (12):1192-6. [PMC free article : PMC3228620 ] [PubMed : 22134938 ]
Goldstein MM, Pewen WF. The HIPAA Omnibus Rule: implications for public health policy and practice. Public Health Rep. 2013 Nov-Dec; 128 (6):554-8. [PMC free article : PMC3804103 ] [PubMed : 24179268 ]
Colorafi K, Bailey B. It's Time for Innovation in the Health Insurance Portability and Accountability Act (HIPAA). JMIR Med Inform. 2016 Nov 02; 4 (4):e34. [PMC free article : PMC5112364 ] [PubMed : 27806923 ]
Bowman MA, Maxwell RA. A beginner's guide to avoiding Protected Health Information (PHI) issues in clinical research - With how-to's in REDCap Data Management Software. J Biomed Inform. 2018 Sep; 85 :49-55. [PubMed : 30017974 ]
Goldstein MM. Health information privacy and health information technology in the US correctional setting. Am J Public Health. 2014 May; 104 (5):803-9. [PMC free article : PMC3987588 ] [PubMed : 24625160 ]
Feldman H, Kamali P, Lin SJ, Halamka JD. Clinical 3D printing: A protected health information (PHI) and compliance perspective. Int J Med Inform. 2018 Jul; 115 :18-23. [PubMed : 29779716 ]
Drolet BC, Marwaha JS, Hyatt B, Blazar PE, Lifchez SD. Electronic Communication of Protected Health Information: Privacy, Security, and HIPAA Compliance. J Hand Surg Am. 2017 Jun; 42 (6):411-416. [PubMed : 28578767 ]
Motiwalla L, Li XB. Developing Privacy Solutions for Sharing and Analyzing Healthcare Data. Int J Bus Inf Syst. 2013 Jan 01; 13 (2) [PMC free article : PMC3839961 ] [PubMed : 24285983 ]
Nettrour JF, Burch MB, Bal BS. Patients, pictures, and privacy: managing clinical photographs in the smartphone era. Arthroplast Today. 2019 Mar; 5 (1):57-60. [PMC free article : PMC6470317 ] [PubMed : 31020023 ]
Filkins BL, Kim JY, Roberts B, Armstrong W, Miller MA, Hultner ML, Castillo AP, Ducom JC, Topol EJ, Steinhubl SR. Privacy and security in the era of digital health: what should translational researchers know and do about it? Am J Transl Res. 2016; 8 (3):1560-80. [PMC free article : PMC4859641 ] [PubMed : 27186282 ]
Vanderpool D. Hipaa-should I be worried? Innov Clin Neurosci. 2012 Nov; 9 (11-12):51-5. [PMC free article : PMC3552464 ] [PubMed : 23346520 ]
Disclosure: Sasank Isola declares no relevant financial relationships with ineligible companies.
Disclosure: Yasir Al Khalili declares no relevant financial relationships with ineligible companies.