PHI and PIIJul 13, 2023
Personally identifiable information (PII) and protected health information (PHI) may seem similar on the surface, but key distinctions set them apart:
- PII is a catch-all term for any information that can be traced to an individual’s identity. PII is protected under state laws which include how this data may be handled, stored, destroyed and breach notification requirements.
- PHI applies specifically to HIPAA covered entities that possess identifiable health information. PHI is any health information that includes any of the 18 elements identified by HIPAA.
- A Limited Data Set (LDS) is a data set that only contains the following two of the 18 HIPAA identifiers: dates and geographic information greater than a postal address. LDS is considered PHI, and falls under the HIPPA Privacy Rule.
- PII may include research data when it is not derived from PHI or considered PHI and is therefore subject to state law but not subject to the HIPAA Privacy and security Rules.
- Importantly, covered entities are specified in the HIPPA Privacy Rule as health plans, healthcare clearinghouses, and healthcare providers. Any patient information with any of the 18 elements identified by HIPAA does fall under the HIPPA Privacy Rule and needs to be protected accordingly. Some PHI data is further protected under state law, and has further restrictions on its use. This includes psychotherapy notes, child abuse, substance abuse, stigmatizing diseases and data collected under Minor Consent. Additional caution should be employed for handling of these data, and further restrictions may apply to use and disclosure.
- Methods may be employed to deem data de-identified and thus not subject to HIPAA protections . De-identified data must meet the Safe Harbor or Expert Determination criteria to be considered de-identified. Note that removing all 18 elements of PHI is not sufficient, as the remaining information could not be used alone or in combination with other information to identify an individual who is a subject of the information.
Information derived from either CHCO or UCHealth EHR’s that contains any of the 18 elements identified by HIPAA would be considered PHI. If you have questions about whether your dataset is full PHI or a limited data set (LDS), please contact Children’s Hospital Colorado Research Compliance firstname.lastname@example.org or UCH-Research Administration UCH-ResearchAdmin@uchealth.org. Our teams can assist in putting the proper agreements in place for you and your dataset.