Personal information, health data and PHI
The relationship between personal information, medial data, and Protected Health Information (PHI) has been a subject of some confusion. Our hope here is to shed some light on this complex relationship, and add clarity.
Protected Health Information is defined as individually-identifiable health data, which is (by definition) exquisitely sensitive. Being linked to an individual, PHI can only be shared with the permission of the individual. PHI is covered by the HIPAA Privacy Rule.
PHI can be thought of as having two components: 1) personal identification, and (2) health data. Health data includes diagnoses, medications, allergies, immunizations, and procedures done.
PHI is kept within Electronic Health Records (EHR), as well as within laboratory systems, insurance company data (including the government via the Center for Medicare and Medicaid Services – CMS), regional Immunization Registries, Health Information Exchanges (HIEs), and public health agencies.
EHR vendors are custodians of the PHI records created by their customers (clinicians), and are bound by the same HIPAA Privacy Rules that apply to the clinicians using the system. PHI is only shared among clinicians for the purpose of furthering the quality of individual health care. PHI can also be rolled up into reports for use by the clinicians (quality metrics reports that identify specific patients needing follow up).
Some technology vendors are able to approximate health data simply by tracking internet usage behavior. For example, Google Flu Trends tracks search activity for flu, which (although it reflects simple consumer interest in, or fear about, the topic) matches CDC reporting of influenza incidence fairly accurately. No HIPAA-protected PHI is utilized here.
Health data has been collected for a long time, long before EHRs – health plans have been collecting health data through claims for many decades. Health data is extracted, ultimately, from PHI – but once it is de-identified, the data is no longer PHI, and therefore (not being linked with any individual) does not need individual permission in order to share. De-identification of PHI is spelled out in the HIPAA Privacy Rules, and needs to be sufficiently “scrubbed” so as not to be re-identifiable.
Medical data is extremely important, and is the basis for health policy and many strategic decisions. For example, when an insurance company claims that “only 35% of women ages 18-26 have been screened for Chlamydia” (a HEDIS metric), or when a laboratory states “10% of all Pap smears are positive for papilloma virus” – these, ultimately, are drawn from data stores that, when linked with specific individuals are PHI, but when extracted without individual identification are not PHI and can be used in whatever way is seen fit. They become the drivers of health policy, and of efforts to improve public health.
Medical data – not linked to individual identification, therefore not PHI (though ultimately extracted from PHI sources) – is sometimes aggregated very specifically. Quality metric compliance (which can be extracted from health plan data) can be drilled down to the region, hospital, medical group or individual physician level – and report cards of these findings are available publicly. Another example: drug companies know prescribing activity for their product at the individual-physician level, and use this data for marketing and detailing. When medical data is linked to physician behavior, but not to patient identification, it is not PHI.
The relationship between personal data, health data, and (when the two are linked together) PHI is complex. Small wonder that there is confusion about it. Our hope is that this discussion will help add some clarity to the understanding of this fundamental issue.
Robert Rowley, MD
Chief Medical Officer, Practice Fusion, Inc.