U.S. flag

An official website of the United States government

NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2024 Jan-.

Cover of StatPearls

StatPearls [Internet].

Show details

Protected Health Information

; .

Author Information and Affiliations

Last Update: January 30, 2023.

Definition/Introduction

According to the Health Insurance Portability and Accountability Act (HIPAA), protected health information (PHI) is any health information that can identify an individual that is in possession of or transmitted by a "covered entity" or its business associates that relates to a patient's past, present, or future health. This data includes demographic information.[1] It also includes but is not limited to, electronic and paper transmission. The term "covered entity" refers to, but is not limited to, healthcare providers, insurance companies, and hospitals.[2][3] PHI includes demographic identifiers in medical records, such as names, phone numbers, and emails, as well as biometric information, such as fingerprints, voiceprints, genetic information, and facial images.[4]

Issues of Concern

Protected health information must remain confidential because disclosing it to unauthorized recipients, intentionally or by accident, can have harmful consequences for patients. For instance, in correctional facilities, the improper disclosure of protected health information can potentially result in inmates assaulting other inmates with health conditions that carry a significant social stigma. Even upon their release, these individuals can face discriminatory treatment by the general populace that hampers their reintegration into public life. While transmitting PHI generally requires the patient's explicit consent, there are exceptions where it is transmittable without consent. For example, PHI can be disclosed without consent in a correctional facility for payment purposes and judicial proceedings. If there is a serious threat to a person's health or well-being, that can only be averted through disclosure.[5] Other circumstances when protected health information is transmittable without consent include public health purposes, like disease control, child abuse, and scientific research.[1][3]

Clinical Significance

Protected health information is clinically relevant because the circumstances surrounding its disclosure shape the interactions between patients and healthcare providers. For instance, when a patient happens to be a celebrity, healthcare providers must balance the patient's privacy needs with the public's "right" to know.[1] The increasingly widespread use of new medical technology further complicates interactions between patients and healthcare providers with respect to PHI. For instance, despite the rise of 3D printing in clinical care, there are no legal provisions in HIPAA relating to the potential privacy implications of 3D printing.[6] There are also no HIPAA regulations that adequately cover the transmission of Protected Health Information via text message.[7] 

There are many ways that healthcare providers can take precautions to ensure that protected health information remains properly protected, to enhance patient care, and to preserve patient safety, particularly concerning electronic storage and transmission of PHI. Some standard procedures include data masking, encryption, and deidentification. Encryption is the equivalent of locking data in a vault and preventing anyone without the necessary digital key or certificate from accessing it. Data masking replaces sensitive data values with altered values that preserve the utility of the data set as a reference source. Encryption is more useful when attempting to protect data during transmission, while data masking is most useful when sharing data with an external organization. Deidentification systematically removes 18 pieces of identifying information, ranging from names and telephone numbers to biometric identifiers like finger and voice prints.[8][9] Internet communications can be secured through protocols like Secure Socket Layer and Transport Layer Security. Wi-Fi hotspots can be secured using virtual private networks to protect data.[10] Maintaining adequate safeguards against the unauthorized dissemination of PHI is paramount, given that the consequences of failing to do so range from financial penalties to imprisonment.[11]

Nursing, Allied Health, and Interprofessional Team Interventions

All healthcare team members have the same responsibility for protecting PHI. This includes clinicians, nurses, pharmacists, therapists, techs, office personnel, and other staff such as housekeeping and nutrition. That is why training and refresher courses on PHI are critical to patient privacy so that all team members can recognize PHI, know the boundaries involved, and identify and, if necessary, report breaches of patient privacy to the proper authorities.

Review Questions

References

1.
Burkle CM, Cascino GD. Medicine and the media: balancing the public's right to know with the privacy of the patient. Mayo Clin Proc. 2011 Dec;86(12):1192-6. [PMC free article: PMC3228620] [PubMed: 22134938]
2.
Goldstein MM, Pewen WF. The HIPAA Omnibus Rule: implications for public health policy and practice. Public Health Rep. 2013 Nov-Dec;128(6):554-8. [PMC free article: PMC3804103] [PubMed: 24179268]
3.
Colorafi K, Bailey B. It's Time for Innovation in the Health Insurance Portability and Accountability Act (HIPAA). JMIR Med Inform. 2016 Nov 02;4(4):e34. [PMC free article: PMC5112364] [PubMed: 27806923]
4.
Bowman MA, Maxwell RA. A beginner's guide to avoiding Protected Health Information (PHI) issues in clinical research - With how-to's in REDCap Data Management Software. J Biomed Inform. 2018 Sep;85:49-55. [PubMed: 30017974]
5.
Goldstein MM. Health information privacy and health information technology in the US correctional setting. Am J Public Health. 2014 May;104(5):803-9. [PMC free article: PMC3987588] [PubMed: 24625160]
6.
Feldman H, Kamali P, Lin SJ, Halamka JD. Clinical 3D printing: A protected health information (PHI) and compliance perspective. Int J Med Inform. 2018 Jul;115:18-23. [PubMed: 29779716]
7.
Drolet BC, Marwaha JS, Hyatt B, Blazar PE, Lifchez SD. Electronic Communication of Protected Health Information: Privacy, Security, and HIPAA Compliance. J Hand Surg Am. 2017 Jun;42(6):411-416. [PubMed: 28578767]
8.
Motiwalla L, Li XB. Developing Privacy Solutions for Sharing and Analyzing Healthcare Data. Int J Bus Inf Syst. 2013 Jan 01;13(2) [PMC free article: PMC3839961] [PubMed: 24285983]
9.
Nettrour JF, Burch MB, Bal BS. Patients, pictures, and privacy: managing clinical photographs in the smartphone era. Arthroplast Today. 2019 Mar;5(1):57-60. [PMC free article: PMC6470317] [PubMed: 31020023]
10.
Filkins BL, Kim JY, Roberts B, Armstrong W, Miller MA, Hultner ML, Castillo AP, Ducom JC, Topol EJ, Steinhubl SR. Privacy and security in the era of digital health: what should translational researchers know and do about it? Am J Transl Res. 2016;8(3):1560-80. [PMC free article: PMC4859641] [PubMed: 27186282]
11.
Vanderpool D. Hipaa-should I be worried? Innov Clin Neurosci. 2012 Nov;9(11-12):51-5. [PMC free article: PMC3552464] [PubMed: 23346520]

Disclosure: Sasank Isola declares no relevant financial relationships with ineligible companies.

Disclosure: Yasir Al Khalili declares no relevant financial relationships with ineligible companies.

Copyright © 2024, StatPearls Publishing LLC.

This book is distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) ( http://creativecommons.org/licenses/by-nc-nd/4.0/ ), which permits others to distribute the work, provided that the article is not altered or used commercially. You are not required to obtain permission to distribute this article, provided that you credit the author and journal.

Bookshelf ID: NBK553131PMID: 31985924

Views

  • PubReader
  • Print View
  • Cite this Page

Related information

  • PMC
    PubMed Central citations
  • PubMed
    Links to PubMed

Recent Activity

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

See more...