It can be easy to get confused about what constitutes PHI. Some people might think all health information falls under PHI, while others might consider only diagnostic information. But one thing is clear: it’s important to know the difference.
So, What is Individually Identifiable Health Information (IIHI)?
IIHI is more than just medical details about an individual - it also includes demographic information. For information to qualify as IIHI, it needs to:
Be created or received by healthcare providers, health plans, employers, or healthcare clearinghouses.
Relate to a person's past, present, or future physical or mental health or condition, healthcare services they've received, or payment for healthcare services provided to them.
Either directly identify an individual or be able to lead to their identification.
What is HIPAA's Definition of Protected Health Information?
HIPAA regulations specify that Protected Health Information is IIHI that:
Is transferred using electronic media (like being sent via email).
Is stored in electronic media (for example, saved on a server).
Is transferred or stored in any other form or medium (this includes physical places where paper documents are stored).
In short, all PHI is IIHI, but not all IIHI is PHI. So, not all individually identifiable health information is protected under HIPAA.
The Differences Between IIHI, PHI, and PII
Understanding the distinctions between PII (personally identifiable information), PHI (protected health information), and IIHI (individually identifiable health information) is crucial to data privacy. PII encompasses non-sensitive and sensitive data that can identify individuals and goes beyond health information, including things like tax details, credit card numbers, and social security numbers. PHI is used specifically in healthcare and always must comply with HIPAA rules. Meanwhile, PII is only protected under certain circumstances. IIHI is health data that can be linked to an individual. Remember, while all PHI is IIHI, not all IIHI is PHI.
What Makes Health Information Identifiable?
There are eighteen specific identifiers that can make health information identifiable, such as:
- Names (full or last name and initial)
- Small geographic areas, like street addresses, cities, counties, precincts, and zip codes
- All parts of dates linked to an individual, such as birth dates, admission dates, discharge dates, and dates of death
- Phone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers, like fingerprints, retinal scans, and voice prints
- Full-face photographs and similar images
- Any other unique identifying number, characteristic, or code
If these identifiers are attached to other health information and can identify an individual, the information is considered Protected Health Information (PHI). Once all identifiers are removed, the information is considered de-identified, which means it's no longer classified as PHI.
As we wrap up our journey into the realm of healthcare data, we hope this deep dive into IIHI, PHI, and PII has left you feeling more confident and informed. The distinctions between these three types of data are critical to understanding how healthcare professionals maintain privacy and adhere to HIPAA regulations.
In essence, all health data is significant, but not all health data is created equal. Remember, while all PHI is IIHI, not all IIHI is PHI. Likewise, PII encompasses a broader spectrum of data beyond healthcare. Whether you're a healthcare provider, patient, or simply an interested party, the importance of understanding these differences cannot be overstated. After all, knowledge is power, especially when it comes to the protection of personal information.
So next time you come across these terms, you'll know exactly what they mean, how they're used, and the regulations that guide them. And remember, in a world where data is increasingly digitized, knowing how to differentiate between IIHI, PHI, and PII is more than just smart - it's a must!
