PHI: A Breakdown and What It Means to Our Company
"PHI" is a term that has taken the healthcare industry by storm. It's everywhere you turn when dealing with medical records (or anything else having to do with a patient). There are two big questions whose answers may or may not be known by many people: What classifies as PHI? What does it mean to our organization?
Let's start with the first question. PHI (protected health information) is ANY information in a medical record that can be used to identify an individual that was created, used or disclosed in the course of providing health care services. There is some confusion on what actually constitutes as PHI. Some think that the information has to be significant enough to be able to easily identify a particular person. This really is not the case though. Even information that seems vague to most people is still considered PHI. The HIPAA privacy rule actually lists a fairly extensive list of 18 identifiers (Personally Identifiable Information AKA PII) that classify information as PHI. They are as follows:
- Names
- All geographical subdivisions smaller than a state: street address, county, precinct, zip code, etc.
- All elements of dates, except year: DOB, age, treatment dates, DOD, etc.
- Phone numbers
- Fax numbers
- Email addresses
- SSN
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (VIN, license plate numbers)
- Device identifiers
- Web Universal Resource Locators (URL's)
- IP addresses
- Biometric identifiers (fingerprints, voice recordings, etc.)
- Full-face photographs
- Any other unique identifying number, characteristics or codes
If the information is by itself and you can find the same information by opening a phone book, then it is not PHI.
Stuart Mobley, Director of Change Management
Essentially almost everything regarding a patient is considered protected health information (PHI). However, there's an important thing to note. Names, addresses and phone numbers are NOT considered PHI, unless that information is listed with a medical condition, health care provision, payment data or something that states that they were seen at a particular clinic. Basically, if the information is by itself and you can find the same information by opening a phone book, then it is not PHI.
So, how does this relate to MediCopy? PHI is the "I" in ROI, so handling this information properly is vital for what we do. If we don't always triple check these components, it puts our business, our clients and our patients at risk. We have the same responsibilities when handling PHI that our clients have to keep it secure. When thinking about the security of PHI, there are three things HIM companies need to take into account about information being pulled, copied and released.
1. Confidentiality refers to the assurance that a necessary level of secrecy is taken to prevent unauthorized disclosure. MediCopy is very thorough and strict on accepting authorizations, because we must respect the rights of the individual and always make sure that we protect their information with the utmost confidentiality.
2. Integrity refers to the understanding that the data/information have not been altered or destroyed in an unauthorized manner. MediCopy maintains that they do not delete or alter any patient information that is copied and forwarded to a requesting party. Even the tiniest amendment to a record could put a patient at risk. If ever a discrepancy in the patient's chart is noticed by our staff (such as DOB not matching on every page), we notify the facility immediately.
3. Availability refers to the property that data is accessible and usable upon demand. MediCopy is all about availability. Not only is it important that we get records copied and released as quickly as possible, but it is just as important that we have access to said records in a timely manner. IT issues can cause major problems with availability. It is important for MediCopy to stay in constant communication with the facility, so any technical issues can be resolved promptly.