What is Protected Information?
Protected information is information that possesses restrictions regarding storage, transit and other means of information usage. Protected Information can also be labeled as sensitive, restricted, or private.
What is PHI?
PHI is an acronym for Protected Health Information. Protected Health Information (PHI) is all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
“Individually identifiable health information” is information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
What is the difference between ePHI & PHI?
ePHI is known as ELECTRONIC Protected Health Information. Electronic Protected Health Information (ePHI) is individual identifiable health information in electronic form or electronic protected health information (ePHI). It is intended to protect the confidentiality, integrity, and availability of ePHI when it is stored, maintained, or transmitted.
PHI is ALL protected health information whether it’s in print, hard copy, recorded or live video/audio, OR electronic. ePHI classified as all protected health information that is stored, transmitted or used electronically.
What is PII?
PII is an acronym for Personally Identifiable Information. Personally Identifiable Information (PII) is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.‖ Examples of PII include, but are not limited to:
Name, such as full name, maiden name, mother‘s maiden name, or alias
Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number
Address information, such as street address or email address
Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)
Can I send ePHI, PHI, PII and/or any other type Protected Information?
Yes. You can send ePHI, PHI, PII and/or any other type Protected Information.
How do I send ePHI, PHI, PII and/or any other type Protected Information?
There are many ways to send protected information.
You can send Protected Information via email using UT Vault. For more information regarding UT Vault, please contact UTHSC Information Security at firstname.lastname@example.org or visit the UT Vault Knowledge Base pages from UT Knoxville.
Mail (USPS, FedEx, UPS, DHL and other physical mailing entities)
The file should be wrapped or sealed in an envelope or pouch in such a manner that the PHI cannot be identified during the transportation process. The outside of the container should contain clear information regarding the addressee, which includes the name, address and telephone number where he/she can be reached. Covered entities should ensure that transported PHI be delivered only to the appropriate individuals who are authorized to receive the information. This can be accomplished by implementing a tracking method by which the sender and the recipient can sign and verify delivery and receipt of the information.
There is no secure way to send protected information via fax unless the fax/phone line is secure. You must take respective safeguards to protect the information. Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
Text Messaging (IM, iMessage, SMS)
There is no secure method to send Protected Information using various text message outlets. Please, DO NOT send any types of protected information via text.
Live Phone or In-Person Conversation
When talking with a patient or another medical professional ALWAYS use common sense, medical ethics, and take precautionary measures. Be aware of your surroundings and pay close attention to the information you are giving the patient or fellow medical professional. Ask the patient or medical professional if they are on speaker phone or if they are in a crowded area to prevent others from hearing the conversation.
When leaving a voicemail with a patient or medical professional, make sure that you have dialed the correct number. Listen for the patient or fellow medical professional’s name during their voicemail greeting. Please, be very broad, advise them to return your call, and give details to patient or medical professional when they become available.
Social Media (including social media email accounts)
The Department of Information Security prohibits using Social Media accounts and social media messaging tools when exchanging protected information.
Does the institution have a policy regarding Protected Information?
Yes. Please refer to policies below that regards Protected Information.
UTHSC Information Protection Policy
UTHSC Data Classification Policy