Skip to main content

FAQ: HIPAA, PHI, and PII

Provider Knowledge BaseHIPAA and Information Security

FAQ: HIPAA, PHI, and PII

What Type of Information is Considered PHI?

  • Names

  • Dates, except year

  • Telephone numbers

  • Geographic data such as address

  • Fax numbers

  • Social Security numbers

  • Email addresses

  • Medical record numbers

  • Account numbers

  • Health plan beneficiary numbers

  • Certificate/license numbers

  • Vehicle identifiers and serial numbers, including license plates

  • Web URLs provided by the patient

  • Device identifiers and serial numbers

  • Internet protocol (IP) addresses

  • Full-face photos and comparable images

  • Biometric identifiers (e.g. retinal scan, fingerprints)

  • Any unique identifying number or code

  • Medical bills and billing statements

What is Considered a Misuse of PHI?

  • Keeping nonsecure records containing PHI in unsecure  data platforms

  • Data breaches caused by telehealth or EHR vendors

  • Stolen or lost devices containing PHI, including USB drives, hard drives, laptops, or phones

  • Data breaches involving malware, phishing, or ransomware

  • Disposing of documents and files containing PHI in a way that allows for unauthorized future retrievals or misuse, such as leaving a document containing PHI in a trash can or improper disposal of a hard drive containing PHI

  • Lack of HIPAA training for employees who come into contact with PHI

  • Sending PHI to the wrong patient or address

  • Misusing social media

Is Some PHI More Protected Than Others?

Yes, mental health treatment records and certain diseases such as HIV/AIDS are covered in an extra layer of protection and require additional permissions to release records.

What is a HIPAA Violation?

Any misuse of PHI is considered a HIPAA violation and is subject to fines and other penalties against a business or provider where a HIPAA violation has taken place.

Why are HIPAA Violations a Big Deal?

HIPAA breaches and violations create mistrust  and can ruin a business’ reputation. Government fines for violations are exorbitant.

What if I Just Didn’t Know?

HIPAA is regulated by the Federal government, which can levy fines for committing HIPAA violations. “I didn’t know” will not protect anyone against this consequence. If you are ever even slightly unsure whether a piece of information or a document is PHI, or if an action or process is permissible under HIPAA regulations, ask before you do anything. 

How Could I be Violating HIPAA Regulations?

  • Emailing any patient data outside of company email

  • Talking about patients using identifiable information outside of the work environment

  • Using social media to discuss any patient interactions

  • Storing patient names and phone numbers in your phone

  • Posting pictures of patients without written permission

  • Leaving a patient's record open on your computer while treating another patient

  • Allowing vendors access to PHI without a signed Business Associate Agreement

  • Not protecting your electronic devices such as your phone with passwords

  • Not securing a USB drive with patient data on it

  • Emailing spreadsheets with patient identifiable information

  • Leaving patient data accessible on your computer or laptop

  • Sharing or not protecting your login and password 

  • Leaving PHI unattended at a public health screening.

  • Opening phishing emails leading to security breaches

  • Throwing away paper with patient PHI on it (instead of shredding it)

Can I Talk About Patients With My Friends or Family?

No, you cannot discuss any information about a patient with anyone except another caregiver or co-worker who needs information to support patient care or billing.

Can I take a Selfie With a Patient?

No, it is unprofessional and could be considered a violation of HIPAA rules.

What if the Patient is a Friend?

If a patient is your friend and you have their consent to take the photo, it is permissible to take a picture with him or her as long as you do not share the picture publicly and reveal that the friend is a patient. 

Have Additional Questions?

Contact Zeel via in-app chat with any questions about HIPAA compliance, patient privacy, or information handling, and we will be glad to help you.