PHI (Protected Health Information)

PHI is defined in 45 CFR §160.103 as individually identifiable health information transmitted or maintained in any form or medium, electronic, paper, or oral. The information must relate to the past, present, or future physical or mental health of an individual, the provision of healthcare, or payment for healthcare, and must either identify the individual or provide a reasonable basis to believe the individual could be identified. HIPAA identifies 18 specific identifiers that make health information individually identifiable, including names, dates, geographic data smaller than a state, phone numbers, email addresses, Social Security numbers, medical record numbers, and more.

The practical scope of PHI in a healthcare facility extends far beyond the EHR system. PHI appears on prescription labels, lab requisition forms, appointment schedules, billing statements, explanation of benefits documents, referral letters, diagnostic images, and even on medical waste container labels and manifests. Paper documents containing PHI that are discarded without proper destruction (shredding, pulping) constitute a HIPAA violation. PHI on waste container labels must be managed as part of the facility's HIPAA compliance program.

BayArea Compliance addresses PHI protection as part of both our HIPAA|360 program and our medical waste services. Our waste handling procedures account for the presence of PHI on container labels and manifest documents. We execute BAAs with all clients, train our personnel on PHI handling, and ensure that any PHI encountered during waste management is protected according to HIPAA and CMIA requirements.