The 18 PHI Identifiers
The idea of patient privacy goes all the way back to the inception of modern medicine as laid out by Hippocrates in the Hippocratic Oath over two thousand years ago. Fast-forward to today, we may face different challenges, but HIPAA in many ways serves as a modern-day example of what the Hippocratic Oath serves to do those many years ago. While the language has changed the sentiment remains the same: protecting the rights of the individual within healthcare. One of the key components, if not the key component of HIPAA is Protected Health Information (PHI). PHI as outlined by HIPAA is any individually identifiable health information. HIPAA lays a legal framework to ensure that this PHI is handled in a way that upholds the rights of the patient as well as outlines the patient’s rights and gives a clear list of what exactly qualifies as PHI.
As referenced in one of our prior posts Why PHI is Valuable to Hackers, modern-day hackers can sell your PHI for hundreds of dollars to people who can then use this information to commit other crimes like identity theft which can take years to uncover and causes a major headache to all parties involved. As a step towards ensuring the safety of this information, HIPAA has laid out a precise list of 18 different forms of protected health information. Below we will outline each different type and give examples of each so that you can have a better understanding of what exactly qualifies as PHI and what you can expect your healthcare provider to be doing with this information.
This is a good time to point out that some PHI is not considered PHI in every context that it is used. Your name is only considered PHI when recorded by a healthcare provider or used within the context of healthcare. The barista calling out your name as you wait for your iced caramel macchiato in a hospital cafe may not be worthy of an HHS investigation, but if your physician disclosed your name to someone outside the scope of their role, this could be an entirely different story.
Again, pretty straightforward, however, this form of protected PHI is anything more specific than the state that you live in, such as your hometown or the street you live on, not just the full address. From a business perspective, this is an important note as it is common to use specific information to identify a client within your own database. “No, not that, Jeff. You know, Jeff from Spokane?” It’s one thing for a nurse to use some of these identifiers within the scope of her study. It’s another for your crazy ex to call the hospital and figure out where you moved after college.
This might seem like a bit of a broad category, but this includes any dates excluding a year that could identify an individual. This includes birth dates, death dates, discharge dates, treatment days--really any day that can be traced back to an individual for a specific event or procedure occurring. While this might not seem like the end of the world, it only takes someone a few key pieces of information to get through certain authentication processes online, so the more information that is safeguarded the better.
While there is not a whole lot that can be done in terms of identity theft with a phone number, it can be a huge hassle if your number falls into the wrong hands. It seems the majority of phone calls today are coming from robo-dialers and scammers asking about your car’s warranty. While many of these phone calls are made with auto dialing technology and are completely random, companies that still utilize cold calling and telemarketing pay services for access to your personal information.
6. Fax Number
While this may have been more applicable in 1996, an individual's fax number is still considered PHI. For any millennials reading this, people used to be able to communicate with each other via their printer. Fax numbers are still used to transfer information on paper from one location to another. Smaller hospitals and entities especially still rely on fax machines to transfer PHI though many have since moved onto full electronic information.
6. Email address
Similar to phone calls, email today has been overrun by spam and junk mail. While your email might not be a way a hacker could necessarily steal your identity, it can be a major nuisance if your email makes its way around to a couple of unwanted targeted email campaigns. While the email address itself may not be sufficient enough for stealing your identity entirely, hackers can use your email address for malware that can collect other important information from your device.
7. Social Security number
Someone with malicious intent is able to use your social security number for a variety of purposes, including opening new lines of credit in your name which can negatively impact your credit score and create a massive headache when applying for loans and making other important financial decisions.
8. Medical record number
Medical record numbers give access to specific charts and medical data that could be anything from your blood pressure reading at a routine check-up to acute diagnoses. Rights to this information is protected under HIPAA and allow you as the patient to give knowledge of this information at your own discretion. Whether it means keeping this information out of the hands of nosey family members or hackers alike, it is important that this information is managed properly by your healthcare provider and other individuals with access to your medical records.
9. Health plan beneficiary number
Your health plan beneficiary number is the number that your health insurance or other similar services that provide access to healthcare use to assign you within their system. This number is often required as proof of coverage and can be sold to individuals online for someone who cannot afford or is unable to obtain healthcare coverage by normal means.
10. Account numbers
Getting access to any sort of account number allows someone with malicious intent to add this to their arsenal against you. Whether they are looking to steal your identity or sell your information to someone else, having your account number under lock and key prevents scammers from using this in tandem with other PHI to gain access to your medical records and other sensitive information.
11. Certificate/license number
Certificate or license numbers can be used as a backup in authentication procedures. This could be anything from your driver’s license number to your CPR certification. This is another example of a piece of information that you would not want anyone to have easy access to. While having your certificate or license number might not be immediately detrimental, it can be used in combination with other personal information to steal your identity.
12. Vehicle identifiers, serial numbers, license plate numbers
Keeping vehicle identification-related information private is important as it is a gateway to a variety of other forms of personal information such as home addresses or even previous addresses. While maybe knowing your license plate number isn’t the end of the world, this in tandem with other personal identification information can be used to forge documentation and even identity fraud.
13. Device identifiers/serial numbers
This information relates to medical devices or equipment that may be used during procedures or treatment. Limiting access to this information protects the client from unwanted access to information pertaining to implants you have, devices used during your procedures, and other medical devices that could be used to be tied directly back to you.
14. Web URLs
Web URLs or Uniform Resource Locators can be used to track electronic transactions and other online history related to your data stored in online formats. These URLs can be used in a variety of different ways. You can think of it as restricting access to URLs cuts off scammers and hackers at the source by eliminating the ability to gain access to a plethora of ePHI.
15. IP address
Your IP address is a unique identifier that comes from your computer when you access the internet. This can be used by some to even trace you back to your location, so it is important that this information doesn’t fall into the wrong hands. Among other things, your IP is sort of like the fingerprint equivalent of your devices that connect to the internet. While it’s not necessarily private, if someone ties a direct IP to you personally, they can access information about online browsing habits, but most concerningly is your actual geographical location.
16. Biometric identifiers such as fingerprints or voiceprints
As technology advances, biometric identifiers can be very harmful when they make their way into the hands of the wrong person. With the artificial facial construction technology known as deep fakes, hackers can now fully reconstruct an individual's likeness and use their voiceprint and other biometric identifiers to create fully functional digital identities used to impersonal individuals remotely. This was famously used back in 2019 when Carrie Fisher passed away midway through the production of the Star Wars franchise movie, Rogue One. The producers hired a body double and then reconstructed her face and voice through previous images and voiceprints. While this technology is impressive in that context, it also has created a sort of digital identity theft that allows hackers to blackmail and even impersonate individuals remotely.
17. Full-face photos
At face value (no pun intended), a portrait or selfie circulating around might not seem like the end of the world, but this in conjunction with other forms of PHI can create the perfect means for a fake online profile or as explored above, very convincing fraudulent digital images and material. To reiterate, context is key here. Only images taken by your healthcare provider or used in a healthcare context would be considered PHI.
18. Any other unique identifying numbers, characteristics, or codes
Think of these as sort of a catch-all for any other identifier that couldn’t be categorized; a sort of “etc.” or “miscellaneous.” Basically, if there is a number that can be tied directly back to you for identification purposes given to you by your healthcare provider, it’s PHI. This goes back to the phrase individually identifiable health information. Essentially, any information that can be traced back to an individual that was used in the context of healthcare can be considered PHI.
While there are a handful of areas within HIPAA that are left up in the air in terms of legal interpretation, it is quite helpful to have a cut and dry list of clearly outlined examples of PHI that are regulated under HIPAA. Not only does Accountable offer our blog as a resource for brushing up on all things HIPAA, but we also offer a complete administrative solution for HIPAA compliance to give you and your associates the assurance that you are fully protected in the event of a breach or audit. So what are you waiting for? Schedule a call with one of our HIPAA Compliance Specialists today or try it out for free today!