Protected Health Information (PHI)
PHI is the acronym for the Protected Health Information of a person or patient under the HIPAA policies at the University of Colorado. PHI includes:
PHI pertains to the mental or physical health of the individual as well as their data.
We are responsible for protecting health information no matter how recent — past, present or future.
PHI can come in any form, including oral, written and electronic media, etc.
The following 18 identifiers (among others) can connect an individual to their PHI:
- Name
- All geographical subdivisions smaller than a State, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of a ZIP code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone number
- Fax number
- E-mail addresse
- Social Security number
- Medical records number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers and serial numbers, including license plate
- Device identifiers and serial number
- Web Universal Resource Locator (URLs
- Internet Protocol (IP) address number
- Biometrics (including finger and voice print)
- Full face photographic images and any comparable image
- Any other unique identifying number, characteristic or code (with some exceptions and requirements)
Note: Health information may be shared without a patient’s authorization, only for purposes of Treatment, Payment or healthcare Operations. Typically, PHI excludes employment records and education records, the types of records contained within the Human Resources (HR) or Family Educational Rights and Privacy Act (FERPA) domains.
PHI and Reproductive Health
The HIPAA Reproductive Rule provides protections for patients' seeking reproductive health care services and providers' providing reproductive health care services. It prohibits the use or disclosure of Protected Health Information (PHI) for the purpose of criminal, civil, or administrative investigations when it is sought to investigate or impose liability on individuals, health care providers, and/or others who seek, obtain, provide, or facilitate reproductive health care that is lawful.
The rule also prohibits the use or disclosure of reproductive health care information to identify an individual, health care provider, and/or others. The Rule is applicable to a Covered Entity - our organization - that maintains PHI which include reproductive health care information whether it was created by the Covered Entity or not. (Compliance Date: December 23, 2024)
Under the Rule, reproductive health is care for services, medications, supplies, and equipment related to reproductive health, its functions, and processes. Reproductive health care affects the health of an individual, regardless of gender, in all matters relating to the reproductive system and to its functions and processes.
Some Examples (include and are not limited to):
- Contraceptives (over-the-counter or prescription)
- Pregnancy-related care, counseling or education
- Gender-affirming care, counseling or education
- Fertility and infertility counseling or education
- Birth control counseling or education
- Conditions affecting the reproductive health system
The Rule is applicable when it is lawful under the law of the state in which the health care is provided under the circumstances in which it is provided (State Law).
The Rule is applicable when it is protected, required, or authorized by Federal Law, including Constitutional Law, regardless of the state in which the health care is provided.
You can presume that the care was lawful, unless:
- There is actual knowledge that it was not lawful in which it was provided
- There is factual information that the care was not lawful
Prohibits the use or disclosure of PHI to conduct a criminal, civil, or administrative investigation.
Prohibits the use or disclosure of PHI to identify any person that seeks or obtains, or a person that provides, or a person that facilitates reproductive health care for the purpose of conducting such investigation or imposing liability.
Requests should not be disclosed until it is determined that it does not fall underneath a prohibition or presumption.
Requestors must complete and sign an Attestation stating that the use or disclosure is not for a prohibited purpose and is required from:
- Law enforcement
- Judicial and administrative proceedings (e.g. subpoenas and court orders)
- Coroners and medical examiners about decedents
- Health oversight (CO Department of Public Health)