Personal health information (PHI) is a category of information that refers to an individual’s medical records and history, which are protected under the Health Insurance Portability and Accountability Act (HIPAA). The protection of PHI includes a wide spectrum of ramifications for businesses and individuals.
Personal health information is also known as protected health information.
The types of information categorized as PHI primarily include sets of medical indicators, such as:
- Test results
- Procedure descriptions
- Diagnoses
- Personal or family medical histories
- Data points applied to a set of demographic information for a particular patient
For example, records showing a patient’s procedures, lab tests or predisposition to a range of diseases fall under the PHI category. It can be tricky to establish a PHI designation because data may not be regulated by HIPAA, in terms of how much personal information is actually connected to the identity of a patient. In many cases, medical information that cannot be tied to a patient may not constitute PHI and may not be protected under HIPAA.
The designation, use and protection of PHI relates to many issues in the modern world of medicine. In the years immediately following the enactment of HIPAA, PHI was primarily regulated in the context of businesses, like medical providers and health insurance companies. Recent HIPAA regulation changes mean that other kinds of businesses are now scrutinized for their handling of PHI. The U.S. Department of Health and Human Services (HHS) refers to these entities as “business associates”, which may include:
- Cloud computing service providers
- Vendor software suppliers
- Third-party marketing businesses
- Any other business with PHI access