The HIPAA regulations categorize your confidential medical information under two different names — Protected Health Information (PHI) and Designated Record Set (DSR). Both of these names and concepts are fully defined within the HIPAA regulations.
Protected Health Information
PHI is the most commonly used name for confidential medical information. In the HIPAA General Administrative Requirements sections PHI is defined as Individually Identifiable Health Information (IIHI) held in, and shared by, paper form or in electronic data bases. IIHI is also defined in the general HIPAA requirements. IIHI consists of your demographic, clinical and financial information that relates to your past, present or future care, or payment for such care. In other words, it is all your confidential medical information from birth to the present, plus any future information.
In simple terms PHI is any information about health status, provision of health care, or payment for health care that can be linked to you and includes the following information:
- Your full name, and any other names you may have used;
- All the attributes of your address; such as apartment number and full zip code;
- Your birth date, dates of care, and other dates;
- Your phone numbers, home, work, and cell;
- Your fax numbers;
- Your e-mail addresses, home, work and university, possibly;
- Your Social Security Number;
- Your Medical Record Numbers, from any doctor or hospital office;
- Your financial account numbers;
- Your Health Plan Beneficiary numbers;
- Certain certificate and license numbers, such as your drivers' license, or a professional license;
- Your biometric identifiers, such as finger prints, voice prints, and iris scans;
- Photographs, X-rays, MRIs, CT Scans, and other such images of you;
- Your lab results;
- Your diagnoses;
- Your procedures; plus
- Others.
PHI is what the HIPAA Privacy regulation protects and what the HIPAA Security regulation keeps safe. The HIPAA regulations keep all your past, present and future confidential medical information protected and safe.
In the healthcare industry PHI has become the short hand method of naming your demographic, clinical and payment information. Your doctor uses this name and your health plan uses this name routinely. It is now so commonly used that even patients use and understand this term. If the PHI were a box of records it would be either a very large box of records or a number of boxes of records because it would hold all your medical records from birth onward into the future.
Designated Record Set
A Designated Record Set (DRS) is defined in the HIPAA Privacy regulation as your medical and billing records maintained by your physician or hospital, and health plan that is used to make treatment and payment decisions regarding your medical care and services. In simple terms DRS is the sub-set of your PHI that is used commonly by your physicians and health plan to make decisions about your care. This information consists of your current medical record and does not include the paper files in the basement of your doctor's office from last year, or the last decade.
What specific information is in a DRS? Your full name, current address and contact information, current medications, current diagnoses and procedures, current X-rays, current lab reports, and the details of payment for your medical care.
When you ask for any of your individual rights under the HIPAA Privacy regulation, such as access to and copying of your medical record, your doctor will usually give you what is in your DRS, not your entire PHI record because this is what most people want.
Remember ... PHI is the big 'box' of all your medical information and records. DRS is a smaller 'box' of medical information, your doctor is using to make your treatment decisions, or your health plan is using to make payment decisions about your current care.