What is PHI?
"The Privacy Rule defines PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of medical care to an individual that is created or received by a medical care provider, health plan, employer, or medical care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information."[ HIPAA Research at 8 .]
There are exceptions to the definition of PHI. Medical information contained in educational records covered by the Family Educational Right and Privacy Act is not covered.[ 20 U.S.C. § 1232g; 34 CFR Part 99 ] This provision applies to schools that are also covered entities, such as medical schools. Elementary and secondary schools and most university programs are not covered entities so HIPAA does apply to them, even if they hold medical information about their students. College sports medicine providers may or many not be covered by HIPAA when they are sharing information with coachers. It depends on whether the student is seeing them for personal treatment only or whether there is an expectation that the information will be shared with the athletic program.[20 USC 1232g(a)(4)(B)(iv)] On the other hand, a student health service at a university may be a covered entity if it bills insurers for services. There is also an exception for medical information held by covered entities in their role as employer. Thus medical information about employees in a hospital's personnel department's files would not be PHI.
Only individually identifiable information is protected. This allows covered entities to release statistical data, such as the number of persons undergoing cancer treatment, the number of babies that were delivered, and other information about groups of patients, as long as the individual group members cannot be identified. A large hospital could release information on the number of patients receiving different types of treatment on a given day because this would not allow someone to figure out the treatment received by a individual patient. A very small hospital with only a few patients could not release this type of data because it would be easy to figure out which patient got the specific treatment. HIPAA has specific rules on which information must be removed from the PHI for it to no longer be identifiable. This includes Social Security numbers, addresses, and unusual personal information that could be used to link the data back to a specific patient.