What are HIPAA's PHI Data Elements?

Every business has a legal and moral duty to protect its customers' privacy. This is doubly true if you handle patient data. In this post, I'll review the HIPAA guidelines in the United States, including HIPAA's 18 protected PHI data elements. I'll also discuss how to redact them to keep patient data safe across your organization.

What is HIPAA?

The United States Health Insurance Portability and Accountability Act of 1996, or HIPAA, protects patient privacy in the United States.

HIPAA's Privacy Rule allows patients to determine how medical providers use their healthcare data. It protects patient data from exposure while ensuring the free flow of information across providers.

Anyone who handles patient data must adhere to HIPAA regulations. This includes health care providers, clearinghouses, health plans, and associated businesses (e.g., claims processing, data analysis).

What is PHI in HIPAA?

Protected health information, or PHI, comprises all patient health and wellness information. PHI includes medical history, test information, and any personally identifiable information.

Healthcare providers use PHI to track a patient's medical history across multiple providers. Researchers may also use anonymized versions of patient data to study healthcare trends or further the development of new drugs and procedures.

PHI is different than Personally Identifiable Information (PII), which is any information that can be directly or indirectly linked to an individual. PHI is a subset of PII that relates specifically to patient health.

PHI data elements: the 18 identifiers

‎

HIPAA's Privacy Rule - specifically, section 164.514 - defines the de-identification standard. Per this standard, there are 18 PHI data elements HIPAA requires you to protect from unauthorized viewing. Companies must remove this information for any patient when their data falls under HIPAA's "Safe Harbor" standard.

The 18 PHI data elements are:

• Patient name
• Address (all components)
• All dates (birthdate, treatment dates, etc.)
• Telephone numbers
• Vehicle ID and serial numbers
• Fax numbers
• Device identifiers & serial numbers
  • Most device IDs are derived from the MAC address, IMEI number, or ESN number.
• Email addresses
• URLs
• Social security numbers
• IP addresses
• Medical record numbers
• Biometric IDs
• Health plan numbers
• Full-face photos
• Account numbers
• Any other uniquely identifying ID or code
• Certificate or license numbers

Additionally, the HIPAA Privacy Rule also protects against re-identification. If you assign a unique code to an individual and an unauthorized could use it to find an individual's PHI, that would also be considered a HIPAA violation.

The cost of not protecting PHI data elements from exposure

The US Health and Human Services department and US state attorneys general can levy penalties for HIPAA Privacy Rule violations. The penalties aren't light, either.

There are four tiers of HIPAA violation:

• Tier 1: An unavoidable violation of which the acting entity was not aware
• Tier 2: An unavoidable violation of which the entity was aware
• Tier 3: A willfully neglectful violation with an attempt made to correct the violation
• Tier 4: A willfully neglectful violation with no attempt at remediation made within 30 days

Each category potentially has different financial penalties. However, in every case, an organization can face a fine of up to over USD $50,000 per incident. (The exact penalties are adjusted for inflation and increase year over year.)

Yearly federal penalties for Tier 4 violations are capped at around USD $2 million. However, attorneys general can issue separate fines.

Additionally, willful violation of HIPAA rules - e.g., selling PHI data elements on the black market - can incur criminal penalties of up to 10 years in jail.

How redaction & tokenization can help ensure HIPAA compliance

PHI data elements are often exposed through massive data breaches. And it can happen innocently enough. BayCare Clinic LLP accidentally leaked PHI of up to 134,000 patients when its partner included a tracking pixel in its Web pages.

However, PHI can also be exposed through common workplace business productivity tools. An employee at Atrium Health disclosed PHI when he responded to a phishing email with account credentials.

Leaks can also occur when patients and providers become sloppy about sharing information. For example, providers may email patient data between themselves and other providers. Or patients may send sensitive information - such as their social security numbers - over channels such as email.

That's why redacting data from tools like Slack, Google Workspace, and Office 365 is critical to ensuring compliance with the HIPAA Privacy Rule. Redaction detects sensitive data elements and removes them from emails, documents, chats, customer service records, and server logs before unauthorized individuals can access them.

‎

How Strac secures sensitive PHI data elements?

Few organizations have the time or resources to implement their own custom redaction strategy. That's why Strac supports automated redaction across numerous business productivity applications. Ask us for a demo today!

Similarly, if you collect PHI data on your web apps and store on your web servers, you may want to consider tokenizing sensitive data. Check out our related blog post on why should you tokenize sensitive data on your web app/servers.