When is PHI not PHI

There is a common misconception that all health information is considered PHI under HIPAA, but there are some exceptions.

First, it depends who records the information. A good example would be health trackers – either physical devices worn on the body or apps on mobile phones. These devices can record health information such as heart rate or blood pressure, which would be considered PHI under HIPAA Rules if the information was recorded by a healthcare provider or was used by a health plan.

However, HIPAA only applies to HIPAA-covered entities and their business associates, so if the device manufacturer or app developer has not been contracted by a HIPAA -covered entities and is a business associate, the information recorded would not be considered PHI under HIPAA.

The same applies to education or employment records. A hospital may hold data on its employees, which can include some health information – allergies or blood type for instance – but HIPAA does not apply to employment records, and neither education records.

Under HIPAA PHI ceases to be PHI if it is stripped of all identifiers that can tie the information to an individual. If the above identifiers are removed the health information is referred to as de-identified PHI. For de-identified PHI HIPAA Rules no longer apply.