Now let’s delve more into the similarities and difference between these three types of records. PII includes any information that can be directly or indirectly connected to a person’s identity. As defined by the National Institute of Standards and Technology (NIST) Guide to Protecting the Confidentiality of Personally Identifiable Information, PII is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” In contrast, Personal Health Information (PHI) is a subset of PII, dealing specifically with health information shared among HIPAA covered entities. It would certainly be reasonable that PHI would include all medical records, lab reports, imaging reports and data, and provider bills; and it does. But the HIPAA Privacy Rule goes further. It lists 18 identifiers that define health information as PHI. These include patient name, address, telephone numbers, email address, health plan numbers, account numbers, biometric identifiers such as fingerprints and voice, and facial photos, among others. By removing all of these 18 elements of PHI, for example for certain types of research, health data can be de-identified, no longer constitutes PHI and no longer has protection under HIPAA.
What are HIPAA-covered entities? They include all healthcare providers, healthcare plans and healthcare coordinating agencies. If a covered entity choses to work with another organization while involving PHI, that organization needs to formally agree to comply with HIPAA standards. The Health and Human Services (HHS) website describes how “the HIPAA Privacy Rule gives federal protection to personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.” Designating such information as PHI protects patient privacy, while allowing providers to carry out their patient care function. The Privacy Rule ensures that PHI is shared only with patient permission or to facilitate care coordination between HIPAA covered entities.
The term Electronic Health Information (EHI) becomes important in relation to the 21st Century Cures Act. It requires that health IT developers provide a means to export all EHI that a certified health IT system can store at the time of certification for either a single patient or all patients in the system. For example, a patient requesting their own health care information is entitled to receive such electronic records from their providers within 30 days. A key provision of the Cures Act prohibits actors from “interfer[ing], prevent[ing], or materially discourage[ing] the access, exchange, or use of electronic health information.” The main goal of the Cures Act is to enhance health information interoperability and transparency, including informed shared decision making between patients and their healthcare providers.