PHI

Full Title or Meme

• As defined in FHIR Protected Health Information (PHI) must be protected by Secure Node interchanges.
• Note that in some documents this is called Personally Identifiable Healthcare Information or Electronic Health Information(EHI).

Context

The context of an FHIR interaction is the transfer of PHI although other transaction could occur of the interchange so established.

Other abbreviations that might be seen include:

1. ePHI for Electronic Protected Health Information: has the meaning set forth in 45 C.F.R. §160.103 of the HIPAA Rules.

   45 CFR § 160.103 defines Health information as any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual

2. According to the Compliancy Group Electronic protected health information (ePHI) is any information stored in an electronic format, which includes patient-specific information that is collected, maintained, or transmitted by medical devices.
3. EHI for Electronic Health Information” which is any information that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual and is transmitted by or maintained in electronic media, as defined in 45 CFR 160.103, that relates to the past, present, or future health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. EHI includes information that is accessed, exchanged, used or maintained in the context of the Trusted Exchange Framework and may be developed for an individual, on behalf of an individual, or provided directly from either an individual or from technology that the individual has elected to use. EHI includes but is not limited to ePHI and health information as defined in 45 CFR 160.103. However, unlike ePHI and health information, EHI is not limited to information that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school, university or health care clearinghouse. EHI does not include health information that is de-identified consistent with the requirements

Problems

• FHIR is focused on the data access methods and encoding leveraging existing Security solutions. Security in FHIR needs to focus on the set of considerations required to ensure that data can be discovered, accessed, or altered only in accordance with expectations and policies.
• Privacy in FHIR is focused on the data access methods and encoding leveraging existing Security solutions. Security in FHIR needs to focus on the set of considerations required to ensure that data can be discovered, accessed, or altered only in accordance with expectations and policies.

Information Sharing

• Much of the effort of the HHS Office of the National Coordinator (OHC) for Healthcare IT in directed to towards the elimination of Information Blocking, which is the normal mode for Electronic Healthcare Repositories (EHR) prior to 2020. This is sometime classified as giving the Patient Choice about how to share their data. As that referenced wiki page shows, just dumping the data into the patient's lap is not really giving them control in any meaningful sense of the word.
• A report from the Pew Trusts shows that Most Americans Want to Share and Access More Digital Health Data, A survey can inform federal policies to expand use of electronic health records, protect patient privacy. Unfortunately the data classifications used, like allergies, is given as a sharing category without consideration for the use of the data. In the case of allergies, no competent clinician would perscribed medicine without knowing a user's allergies. But there is little reason to expect user's to understand that distinction when making choses about what to share.
• See the wiki page on Privacy for more information on data sharing.

Solutions

• FHIR taken as a whole is designed to securely exchange PHI in a Privacy preserving manner.
• Data not covered by ePHI rules is still protected by FTC rules, which are not so rigorously enforced.
• Wearables are not protected as ePHI.

References

• DHA definitions DHA PGI 224 – PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION (Revised 2020-10-27)
• FHIR STU3 version of the Security and Privacy Module has a good overview of protection of health information.
• Health Care Profile in Kartara IDEF documentation.