Protected health information (PHI) is YOUR information but it can be used to benefit everyone
Written on September 7, 2014 by Dr Ben Nowell
Health research is about the collection and analysis of information to understand conditions like arthritis and to develop better prevention, diagnostic and treatment methods. I’ve posted before about research as a “hunt for the truth.” Each additional bit of information is another clue to help scientists understand arthritis.
In healthcare and health research, people often talk about “protected health information” or PHI. What is it and why does it matter in research? CreakyJoints Data Scientist Noam Gerber and I recently sat down to ask and answer questions about this important topic.
What is protected health information (PHI)?
Protected health information, also known as PHI, is validated information about someone’s health that can be identified as belonging to that specific individual. There are three types of health information: your health status, the treatment or care you’ve received, and payment related to your healthcare. When any of these three types of information about your health is associated with personally identifying information (like your name or address), it becomes PHI. Note that health information is only considered to be PHI when it is collected and stored by a “covered entity” (e.g., an insurance company or a physician). So when you self-report that you have an illness to an organization or person that is not a covered entity, this information falls outside of the PHI definition.
What is personally identifying information (PII) and how is it different from PHI?
PII is information that uniquely identifies you. An “identifier” is any information that can be used to figure out exactly who you are. Common identifiers include your name, zip code, birthdate, phone number, email address, social security number, and medical record number to name just a few. Often more than one of these identifiers must be used in order to uniquely identify you—like if you have the same name or birthdate as someone else. Whereas PII simply identifies you, PHI is information about your health status, healthcare treatments and/or payments that also identifies you with PII.
Why is this information “protected”?
Because health information is both sensitive and personal, there are federal and state laws (e.g., HIPAA, Common Rule, Privacy Rule and Security Rule) that require that it be protected and secured. The law creates specific administrative, physical, and technical safeguards that must be put into place by covered entities. They also create specific rules on how PHI can be used, shared and who it can be shared with. These laws are intended to protect the privacy, confidentiality and quality of PHI when it’s being shared or used (e.g., for research). Any person who handles or has access to PHI is required to know these laws and how to protect PHI. People who do not protect PHI as ordered by these laws can be penalized with fines and imprisonment.
What is PHI used for?
PHI is often used to link information from different sources, especially for research. Before their PHI is used for research, each participant in a study must give written and signed permission. You might have heard of this or given this type of permission as “HIPAA authorization.” Before granting permission, the research participant must be given information on which specific PHI will be used or shared during the research, the names of people carrying out the research (including whoever PHI may be shared with), and the purpose of using or sharing that PHI. This permission and authorization process is necessary so that the research participant is fully informed about how and why their PHI is being used and be given the opportunity to either allow or refuse permission to use the information.
Why is PHI necessary for research?
PHI is needed to better understand arthritis, to improve treatments for arthritis and to eventually find a cure for arthritis. Without research, no new knowledge would ever be gained and we would be stuck with medicine from the 1800s! It is possible to do some limited research arthritis without PHI, but it’s possible to do much more when research participants give permission to use their PHI. This will help scientists work with you to find better treatments, and someday a cure, for arthritis. You should know that when you share your PHI for research, it will only be used for research.
If I give permission for someone to use my PHI in research, how much of my information will be shared?
When PHI is shared, only the minimum amount needed to conduct research is shared. This is to protect your confidentiality by not giving people access to more PHI than they need. Participants also always have the right to refuse the collection and usage of new PHI at any point during the research. Not everyone is comfortable providing all of the requested identifiers. That’s okay. Full name and date of birth are the most important pieces of information, but research participants are encouraged to provide as many of the other requested items as they are willing to. Here’s one example of how identifiers are used in research: your date of birth and/or Social Security number can be used by researchers to access information available through the Centers for Disease Control, Centers for Medicare and Medicaid Services, and other sources. This is very important for researching the safety of medications used to treat RA and other forms of arthritis.
Does CreakyJoints collect PHI?
No, CreakyJoints is not a covered entity and does not collect PHI. However, with support from the Patient-Centered Outcomes Research Institute (PCORI) and our parent organization, the Global Healthy Living Foundation (GHLF), CreakyJoints is building a patient-powered research network with a database of health information about people living with rheumatoid arthritis and spondyloarthritis (psoriatic arthritis and ankylosing spondylitis). As a result, members of the CreakyJoints community are being given the opportunity to participate in research. Although CreakyJoints is not a covered entity, our academic research partner is. The University of Alabama at Birmingham (UAB) School of Medicine is working closely with us to guide and expand our patient-led research. As a covered entity, UAB is responsible for safeguarding any PHI that is obtained as part of our research efforts.