Q: What is protected health information (PHI) under HIPAA?
A: PHI is individually identifiable information related to the past, present or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for such health care, that is created or received by a covered entity. PHI may be in any form, including oral, electronic or paper.
PHI must be created or received by a covered entity. That means that if an employer does not have a health care plan and therefore does not have a covered entity, it does not have PHI. This point is important because some assume PHI covers all medical information in the workplace. In fact, PHI is a highly specific term and is limited to covered entities. The key to understanding PHI is determining who creates or receives certain medical information and from what source it comes. If it originates from an employer’s plan, it is PHI, but if it comes from an employee who is providing a colleague with an update on her back surgery or results of a pregnancy test, it is not PHI.