Understanding PHI Requests

Protecting and requesting PHI

Doctors, office staff and patients alike have all heard the term PHI, or protected health information. But what exactly does this entail? And what happens when that information is requested? AMPM Billing explores how HIPAA defines PHI, and how that information is handled.

Protected Health Information

HIPAA defines protected health information (PHI) as “health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services.” It is also helpful to define what HIPAA means by a “covered entity”. This term refers to a healthcare provider or health clearinghouse that electronically transmits health related data. Therefore, all covered entities encounter and transfer PHI as a rule. 

In order to be considered PHI, this information must relate to the current or past physical or mental health of a patient. It can also refer to the manner of care, as well as payment information relating to past, present or future healthcare.

Examples of protected information are:

  • Patient demographics
  • Medical history
  • Health insurance information
  • Lab results such as tests and x-rays

Any information that can be used to individually identify a patient is considered PHI and is strongly protected under HIPAA’s security rule.  

The Complexity of Requesting PHI

You might assume that requesting access to your own PHI would be straightforward. However this is not always the case. Some healthcare providers charge a fee for this service, and for good reason. As a medical billing company, AMPM knows that the storage and protection of patient data requires complex databases and skilled, HIPAA trained staff. When a patient requests their PHI it is usually in order for it to be electronically transmitted to another provider or entity. Many times this third party will make the request on behalf of the patient, which requires even more steps of verification to ensure the data is being transferred securely.  

HIPAA’s privacy rule has acknowledged that these requests require a certain degree of skilled labor, time spent, and costs incurred. In the case of a physical copy request, there will also be postage fees to be considered.

However, HIPAA has also mandated that healthcare providers do not charge what is beyond reasonable for this service. Several cases, such as the Korunda Case, have alerted HIPAA to the practice of overcharging and delaying the transfer of PHI. HIPAA stipulates that PHI that is requested in a valid manner be provided within 30 calendar days of the request.

Keeping PHI secure as well as accessible is an important part of the healthcare industry. It is important that both patients and providers understand their rights when it comes to the transmission of valuable healthcare data.

Disclaimer: The materials contained on this website are provided for informational purposes only and do not constitute legal or other professional advice on any subject matter. Advanced Medical Practice Management does not accept any responsibility for any loss which may arise from reliance on information contained on this site.