Lesson 3: Protected Health Information (PHI) Deep Dive

You must first complete Lesson 2: What are the 3 major rules of HIPAA? before viewing this Lesson

Lesson Goal


For you to become familiar with the criteria for determining whether data should be considered Protected Health Information (PHI) and concepts related to data encryption.

Lesson Summary


Determining what is or isn’t PHI is critical to HIPAA compliance. Some data elements are considered Direct Identifiers (such as SSN or member ID), while others are considered Indirect Identifiers (such as date of birth). Using proper approaches to handling PHI – including data encryption methods- is an important part of how PHI is kept secure.

The Big Topics in This Lesson


1- Indirect vs Direct Identifiers

The information under this topic covers the different types of data elements that are considered Protected Health Information (PHI).

2- Data Encryption

The information under this topic focuses on understanding what data encryption is and why it is important for HIPAA compliance.

3- Other Laws Besides HIPAA

The information under this topic focuses on awareness of other laws besides HIPAA that govern the use of Protected Health Information.

Lesson Video


Lesson Q & A


Click on each question to learn more

Q1: What does Protected Health Information (PHI) mean? What does "identifiable" data mean?


In order to know how to handle data correctly, organizational team members need to be able to understand a spectrum of health information in terms of how easily it can be used to identify a specific individual. There are 3 main types of healthcare data:

  1. Data that cannot be used to identify individuals, even in combination with other data – this type of information would be aggregated at so high a level so as to make personal identification possible. Example: the number of people with an HIV diagnosis by city (assuming the city population was not very small).
  2. Data that cannot be used to identify individuals by itself, but could be used to do so when combined with other data – these types of data include what are called Indirect Identifiers such as date of birth, zip code, date of service, etc. HIPAA refers to these as a “Limited Data Set.” Limited Data Sets are considered PHI.
  3. Data that contain Direct Identifiers- such as Name, SSN, insurance policy numbers, etc. These are considered PHI.

Q2: What is encryption / de-encryption?


Encryption makes data on computers and other electronic devices unreadable or “scrambled”. There are tools that use different algorithms to create encrypted versions of things like SSN or member ID, but still allow for the encrypted ID to report on unique members.  Encryption can be done at the field level or the file transfer level.

Medicaid Dictionary

 New Terms from this lesson:
  1. Limited Data Set– A data set that is considered PHI, but only contains Indirect Identifiers
  2. Indirect Identifiers– data elements that on their cannot identify a person, but could when combined with other information (such as date of birth or 5 digit zip)
  3. Direct Identifiers– data elements that directly identify a person, such as SSN, name or member ID

Ready for the Lesson Progress Quiz?


When you are ready to take the quiz, click the button below. You must pass the quiz to move onto the next lesson.

Back to: HIPAA Awareness Training > Course Lessons