Skip to main content

What is PHI?

Protected Health Information (PHI) includes any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. Rubric handles PHI as a business associate under HIPAA.
PHI ElementExamplesRubric Handling
NamesPatient names, provider namesEncrypted, access-controlled
DatesDOB, admission dates, appointment datesEncrypted, configurable redaction
Contact InfoPhone, email, addressEncrypted, optional exclusion
IdentifiersMRN, SSN, health plan IDEncrypted, tokenization available
Medical RecordsDiagnoses, medications, lab resultsEncrypted, audit logged
ImagesX-rays, MRIs, photosEncrypted, DICOM de-identification
Audio/VideoPatient calls, telehealth recordingsEncrypted, transcription controls

Minimum Necessary Standard

Rubric follows the HIPAA minimum necessary standard, accessing only the PHI required for evaluation purposes. Configure your projects to limit PHI exposure:
phi_configuration.py
from rubric import Rubric

client = Rubric(api_key="rb_live_xxxxxxxx")

# Configure PHI handling for a project
client.projects.configure_phi(
    project="patient-triage",

    phi_config={
        # What PHI elements are allowed
        "allowed_elements": [
            "medical_records",    # Required for clinical evaluation
            "dates_of_service",   # Required for temporal context
        ],

        # What PHI elements to exclude
        "excluded_elements": [
            "names",              # Not needed for evaluation
            "contact_info",       # Not needed for evaluation
            "identifiers",        # Use tokens instead
        ],

        # Automatic de-identification
        "auto_deidentify": {
            "enabled": True,
            "method": "redact",   # or "tokenize", "hash"
            "elements": ["names", "contact_info"]
        },

        # Access restrictions
        "access_restrictions": {
            "require_justification": True,
            "max_retention_days": 90,
            "export_requires_approval": True
        }
    }
)

De-identification Methods

Rubric supports multiple de-identification methods to protect PHI while maintaining data utility for evaluation.

Redaction

Replace PHI with placeholder text. Best for removing identifiers entirely.
redaction.py
# Configure redaction
client.projects.configure_phi(
    project="patient-triage",
    phi_config={
        "auto_deidentify": {
            "enabled": True,
            "method": "redact",
            "elements": ["names", "mrn", "ssn", "phone", "email"],
            "replacement": "[REDACTED]"  # or "[NAME]", "[MRN]", etc.
        }
    }
)

# Example transformation:
# Input: "John Smith (MRN: 12345) called about chest pain"
# Output: "[REDACTED] (MRN: [REDACTED]) called about chest pain"

Tokenization

Replace PHI with consistent tokens that preserve referential integrity.
tokenization.py
# Configure tokenization
client.projects.configure_phi(
    project="patient-triage",
    phi_config={
        "auto_deidentify": {
            "enabled": True,
            "method": "tokenize",
            "elements": ["names", "mrn", "patient_id"],

            # Consistent tokens within a sample
            "preserve_consistency": True
        }
    }
)

# Example transformation:
# Input: "John Smith mentioned his wife Jane Smith is also a patient"
# Output: "PERSON_001 mentioned his wife PERSON_002 is also a patient"

Safe Harbor De-identification

Apply HIPAA Safe Harbor method to remove all 18 identifier categories.
safe_harbor.py
# Configure Safe Harbor de-identification
client.projects.configure_phi(
    project="patient-triage",
    phi_config={
        "auto_deidentify": {
            "enabled": True,
            "method": "safe_harbor",

            # Optionally keep certain elements with justification
            "exceptions": {
                "age": True,         # Keep ages under 90
                "dates": "year_only" # Keep year, remove month/day
            }
        }
    }
)

# Safe Harbor removes all 18 HIPAA identifiers:
# 1. Names                    10. Account numbers
# 2. Geographic subdivisions  11. Certificate/license numbers
# 3. Dates (except year)      12. Vehicle identifiers
# 4. Phone numbers            13. Device identifiers
# 5. Fax numbers              14. Web URLs
# 6. Email addresses          15. IP addresses
# 7. SSN                      16. Biometric identifiers
# 8. MRN                      17. Full-face photos
# 9. Health plan ID           18. Unique identifying codes

Access Controls for PHI

Implement granular access controls to limit who can view PHI:
phi_access_controls.py
# Configure PHI access controls
client.projects.configure_access(
    project="patient-triage",

    access_config={
        # Require specific role to view PHI
        "phi_access_roles": ["reviewer", "project_admin"],

        # Require MFA for PHI access
        "phi_requires_mfa": True,

        # Limit PHI access to specific IP ranges
        "phi_allowed_ips": ["10.0.0.0/8", "192.168.1.0/24"],

        # Session timeout for PHI access
        "phi_session_timeout_minutes": 30,

        # Require access justification
        "require_justification": {
            "enabled": True,
            "valid_reasons": [
                "clinical_review",
                "quality_assurance",
                "compliance_audit"
            ],
            "expires_after_hours": 8
        }
    }
)

# Request PHI access with justification
access_grant = client.phi.request_access(
    project="patient-triage",
    reason="clinical_review",
    samples=["sample_123", "sample_456"],
    duration_hours=4
)

# Use the access grant
with access_grant:
    sample = client.samples.get("sample_123", include_phi=True)
    print(sample.input)  # Full data including PHI

Audit Trail

All PHI access is logged with comprehensive audit trails:
phi_audit.py
# Query PHI access logs
logs = client.audit.query(
    event_type="phi_access",
    start_date="2024-01-01",
    end_date="2024-01-31",

    # Optional filters
    filters={
        "user_id": "user_abc123",
        "action": "view",
        "project": "patient-triage"
    }
)

for log in logs:
    print(f"{log.timestamp}: {log.user_email}")
    print(f"  Action: {log.action}")
    print(f"  Resource: {log.resource_type}/{log.resource_id}")
    print(f"  Justification: {log.justification}")
    print(f"  IP Address: {log.ip_address}")
    print(f"  PHI Elements Accessed: {log.phi_elements}")
Audit Log Retention: PHI access logs are retained for 7 years by default to meet HIPAA requirements. Logs are stored in a tamper-evident format with cryptographic verification.

Data Breach Prevention

PracticeDescription
Encryption EverywhereAll PHI is encrypted at rest (AES-256) and in transit (TLS 1.3).
Data Loss PreventionAutomatic detection and blocking of PHI in unauthorized channels.
Access Anomaly DetectionML-based detection of unusual access patterns with automatic alerts.
Export ControlsPHI exports require approval and are logged with full audit trail.

Troubleshooting PHI Access

IssueSolution
Access Denied to PHIVerify your role includes PHI access permissions. Check if MFA is required and completed.
PHI Not Visible in SampleCheck if the sample was de-identified on upload. Request PHI access grant if needed.
Export BlockedPHI exports require approval. Submit an export request with justification.