HIPAA PHI | List of 18 PHI Identifiers & Compliance

Every business has a legal and moral duty to protect its customers' privacy. This is doubly true if you handle patient data. In this post, I'll review the HIPAA guidelines in the United States, including HIPAA's 18 protected PHI data elements. I'll also discuss how to redact them to keep patient data safe across your organization.

What is HIPAA?

The United States Health Insurance Portability and Accountability Act of 1996, or HIPAA, protects patient privacy in the United States.

HIPAA's Privacy Rule allows patients to determine how medical providers use their healthcare data. It protects patient data from exposure while ensuring the free flow of information across providers.

Anyone who handles patient data must adhere to HIPAA regulations. This includes health care providers, clearinghouses, health plans, and associated businesses (e.g., claims processing, data analysis).

What is PHI in HIPAA?

Protected health information, or ePHI, comprises all patient health and wellness information. PHI includes medical history, test information, and any personally identifiable information.

Healthcare providers use PHI to track a patient's medical history across multiple providers. Researchers may also use anonymized versions of patient data to study healthcare trends or further the development of new drugs and procedures.

PHI is different than Personally Identifiable Information (PII), which is any information that can be directly or indirectly linked to an individual. PHI is a subset of PII that relates specifically to patient health.

The 18 PHI Data Elements You Must Protect as Patient Identifiers

The 18 PHI identifiers are:

• Patient name
• Address (all components)
• All dates (birthdate, treatment dates, etc.)
• Telephone numbers
• Vehicle ID and serial numbers
• Fax numbers
• Device identifiers & serial numbers
• Most device IDs are derived from the MAC address, IMEI number, or ESN number.
• Email addresses
• URLs
• Social security numbers
• IP addresses
• Medical record numbers
• Biometric IDs
• Health plan numbers
• Full-face photos
• Account numbers
• Any other uniquely identifying ID or code
• Certificate or license numbers

‍

HIPAA's Privacy Rule - specifically, section 164.514 - defines the de-identification standard. Per this standard, there are 18 PHI data elements HIPAA requires you to protect from unauthorized viewing. Companies must remove this information for any patient when their data falls under HIPAA's "Safe Harbor" standard.

Additionally, the HIPAA Privacy Rule also protects against re-identification. If you assign a unique code to an individual and an unauthorized could use it to find an individual's PHI, that would also be considered a HIPAA violation.

The Consequences of Failing to Protect Patient Identifiers in HIPAA

The US Health and Human Services department and US state attorneys general can levy penalties for HIPAA Privacy Rule violations. The penalties aren't light, either.

There are four tiers of HIPAA violation:

• Tier 1: An unavoidable violation of which the acting entity was not aware
• Tier 2: An unavoidable violation of which the entity was aware
• Tier 3: A willfully neglectful violation with an attempt made to correct the violation
• Tier 4: A willfully neglectful violation with no attempt at remediation made within 30 days

Each category potentially has different financial penalties. However, in every case, an organization can face a fine of up to over USD $50,000 per incident. (The exact penalties are adjusted for inflation and increase year over year.)

Yearly federal penalties for Tier 4 violations are capped at around USD $2 million. However, attorneys general can issue separate fines.

Additionally, willful violation of HIPAA rules - e.g., selling PHI data elements on the black market - can incur criminal penalties of up to 10 years in jail.

How redaction & tokenization can help ensure HIPAA compliance?

PHI data elements are often exposed through massive data breaches. And it can happen innocently enough. BayCare Clinic LLP accidentally leaked PHI of up to 134,000 patients when its partner included a tracking pixel in its Web pages.

However, PHI can also be exposed through common workplace business productivity tools. An employee at Atrium Health disclosed PHI when he responded to a phishing email with account credentials.

Leaks can also occur when patients and providers become sloppy about sharing information. For example, providers may email patient data between themselves and other providers. Or patients may send sensitive information - such as their social security numbers - over channels such as email.

That's why redacting data from tools like Slack, Google Workspace, and Office 365 is critical to ensuring compliance with the HIPAA Privacy Rule. Redaction detects sensitive data elements and removes them from emails, documents, chats, customer service records, and server logs before unauthorized individuals can access them.

Securing Sensitive PHI Data Elements: How Strac Can Help?

Few organizations have the time or resources to implement their own custom redaction strategy. That's why Strac supports automated redaction across numerous business productivity applications (SaaS apps like Gmail, Office 365, Slack, Zendesk, Intercom, Salesforce, Notion, Google Drive, One Drive, Sharepoint, AWS CloudWatch logs, AWS Database Services, and more).

Similarly, if you collect PHI data on your web apps and store on your web servers, you may want to consider tokenizing sensitive data. Check out DLP for HIPAA