What is Protected Health Information (PHI): Guide 101

Posted in Healthcare Compliance

Healthcare professionals and organizations handle dense, sensitive data, from patient records and lab results to insurance claims and billing details. But with so many records out there, approximately 402.74 million terabytes, how do you distinguish what is protected health information? Information that qualifies as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) includes any identifiable health data created, received, used, or shared by healthcare providers, insurers, or their partners. Because it connects a person’s identity to their medical information, HIPAA requires strict protection to prevent unauthorized use or disclosure. Everyone with access to PHI has a legal and ethical duty to safeguard it. Protecting PHI is not limited to maintaining compliance; it’s about trust between patients and the healthcare system.

What is Protected Health Information?

Information qualifies as PHI when it’s both personally identifiable and used or disclosed by a covered entity in the context of healthcare. If any piece of information can identify an individual and relates to their medical condition, treatment, or payment, it falls under HIPAA’s protections.

Identifiers that make health information PHI include:

• Patient Name (full or last name and initial): Names directly connect a medical record to an individual, making even partial identifiers protected.
  
• Date of Birth: A birth date can confirm identity, especially when paired with other data such as a diagnosis or address.
  
• Address (anything more specific than state): Street address, city, county, or ZIP code can all pinpoint a patient’s location.
  
• Social Security Number: A unique government-issued identifier that directly links to an individual.
  
• Phone or Fax Number: Contact details can connect communications or records to a specific patient.
  
• Email Address: Electronic communication often includes identifiable information about treatment or billing.
  
• MAC or IP Address: These network identifiers can trace a device back to a specific individual.
  
• Driver’s License or License Plate Number: Personal identifiers that confirm a person’s identity in records or claims.
  
• Biometric Data: Fingerprints, retina scans, or facial recognition data are unique to one person, making them sensitive.
  
• Medical Record Numbers: These link medical details to a specific patient’s chart.
  
• Medical Device Serial Numbers: Identify the patient using or assigned to a device.
  
• Health Plan Account Numbers: Connect payment and insurance records to a patient.
  
• Dates of Visits, Admission, Discharge, and Treatment: Even dates alone can reveal identity when paired with other details.
  
• Payments or Bills: Financial records often include treatment or insurance information.
  
• Photographs: Images that can identify a person, even partially, qualify as PHI.
  
• Diagnostic Codes: These reflect medical conditions and, when tied to a name or identifier, become protected.
  

Even outdated details, like an old address or phone number, are still PHI if they remain connected to an identifiable record. Once health data can identify a person, it’s protected indefinitely.

What are the Covered Entities Under HIPAA Rules?

HIPAA defines “covered entities” as organizations and professionals that handle protected health information. They provide healthcare, process payments, or manage healthcare operations. It also extends to business associates who give services on behalf of covered entities and their subcontractors.

Covered entities include:

• Doctors’ offices, dental offices, and clinics: Provide direct patient care and maintain medical records.
  
• Psychologists and mental health providers: Handle sensitive health and therapy information.
  
• Nursing homes and pharmacies: Store and share patient medication and treatment data.
  
• Hospitals and home healthcare agencies: Manage patient admissions, care notes, and discharge records.
  
• Health plans and insurance companies: Process claims and store financial and medical details.
  
• Government programs (Medicare, Medicaid, HMOs): Pay for and manage healthcare services.
  
• Healthcare clearinghouses: Convert nonstandard health data into standard formats for billing or analysis.
  

What Information is Not Considered PHI?

Not all health-related or identifiable information qualifies as PHI. HIPAA applies only to data shared with or maintained by a covered entity for healthcare purposes. 

Personal health data collected for individual or workplace use doesn’t fall under HIPAA unless it’s transmitted to a covered entity.

Examples include:

• Personal Blood Sugar Readings: Data from a home glucose monitor that isn’t shared with a healthcare provider.
  
• Temperature Scans: Personal checks or workplace screenings not used for healthcare treatment.
  
• Heart Rate Monitor Readings: Information tracked for fitness, not stored by a doctor or insurer.
  
• Health Tracker Data: Step counts or sleep patterns from wearables like an Apple Watch remain personal until shared with a covered entity.
  
• Employment Health Records: Workplace health or wellness data maintained solely for HR purposes.
  

What is PHI under HIPAA Regulations?

Health information becomes Protected Health Information (PHI) when it connects a person’s identity with their health condition, care, or payment history. 

When a covered entity maintains or transmits this information, in any form, it’s protected under HIPAA.

For example:

• “A broken leg” = health information only.
  
• “Mr. Jones has a broken leg” = identifiable health information.
  
• When a covered entity records that statement, it becomes PHI because it links an identity (“Mr. Jones”) to medical data (“broken leg”).
  

Examples of Protected Health Information 

PHI can appear in written, electronic, or verbal form, common examples include:

• Billing information from your doctor: Combines your name with details of medical services.
  
• Blood test results: Contain identifying data and diagnostic information.
  
• Emails about prescriptions: Connect your identity to your medical treatment.
  
• Appointment notes: Include both patient identifiers and provider information.
  
• Text or voicemail reminders: May reference a patient’s appointment or provider.
  
• Records listing patient and provider names: Directly connect identity and care.
  
• Medicaid or Medicare documentation: Displays both personal and insurance details.
  

Examples of Disclosure

HIPAA’s Privacy Rule allows certain disclosures of PHI without explicit patient consent when they’re necessary for care coordination, safety, or public health.

PHI can be shared without authorization:

• To coordinate or manage treatment: When multiple providers are involved in a patient’s care.
  
• To prevent a serious threat: If disclosure can protect an individual or the public from imminent harm.
  
• For public health purposes: To control disease, injury, or disability under public health authorities.
  
• To inform family or friends involved in care: When necessary for patient well-being.
  
• To notify the media or the public: In limited cases, if the patient has not objected.
  

Who is Covered by the Privacy Rule?

The Privacy Rule applies to health plans, healthcare providers, and healthcare clearinghouses that transmit electronic health information as part of standard HIPAA transactions.

Health Plans

These entities pay for or provide medical care, including:

• Individual or group health, dental, vision, and prescription drug plans.
  
• Health Maintenance Organizations (HMOs).
  
• Medicare, Medicaid, and supplemental insurers.
  
• Long-term care insurers (excluding fixed indemnity policies).
  
• Employer, church, and government-sponsored health plans.
  

Exceptions:

• Small employer plans (fewer than 50 participants) that are self-administered.
  
• Programs that don’t primarily provide healthcare (like food assistance).
  
• Programs that directly deliver care (like community health centers).
  

Healthcare Providers 

All providers that transmit health information electronically for claims, referrals, or authorizations are covered, including hospitals, clinics, physicians, and dentists. Even if they use a billing service, they remain covered entities under HIPAA.

Healthcare Clearinghouses 

These organizations process health information between providers and payers, converting nonstandard data into standard formats or vice versa. Examples include billing services, repricing companies, and data management systems.

Business Associates

A business associate is any person or organization that performs services for a covered entity involving PHI. This includes external vendors and consultants who handle identifiable health data.

Examples of business associate activities:

• Claims Processing and Billing: Access PHI to manage payments or reimbursements.
  
• Data Analysis and Utilization Review: Use PHI to evaluate efficiency or care quality.
  
• Legal, Accounting, and Consulting Services: Review or process PHI for compliance or audits.
  
• IT and Data Management: Maintain systems that store or transmit PHI securely.
  
• Accreditation or Administrative Services: Access data to certify healthcare entities or manage records.
  

How To Protect PHI?

Best practice to secure health data includes: 

Administrative Safeguards

These are the policies and procedures that govern how an organization handles PHI and manages workforce conduct. 

• Conduct regular risk assessments: Identify and analyze potential vulnerabilities and threats to electronic PHI (ePHI), such as insider risks, malware, or phishing attacks.
• Establish and enforce access policies: Implement role-based access control to ensure that employees can only view, use, or disclose the minimum necessary PHI required for their jobs.
• Train your workforce: Provide regular HIPAA training for all staff, including temporary workers and volunteers, to cover proper PHI handling, security procedures, and how to spot phishing emails.
• Manage business associate agreements (BAAs): Any third-party vendor that handles PHI on behalf of your organization must sign a BAA. This contract ensures the vendor also follows the HIPAA medical records law.
• Create an emergency plan: Develop a plan that details the response to a data breach, system failure, or natural disaster to minimize damage and restore access to ePHI. 

Physical Safeguards

These measures protect electronic systems, equipment, and physical records from unauthorized access and environmental hazards. 

• Control facility access: Limit physical access to server rooms, file cabinets, and other areas where PHI is stored to authorized personnel only.
• Secure workstations and devices: Use screen savers and privacy screens to prevent passersby from viewing PHI. Always log out or lock your screen when you leave a workstation, and implement an automatic logoff for inactive sessions.
• Safeguard mobile devices: Encrypt all mobile devices, laptops, and external drives used to access or store ePHI. Securely store these devices when not in use.
• Establish a clean desk policy: Do not leave paper documents containing PHI unattended on desks or near printers, copiers, and fax machines. Secure them in locked storage at the end of the day.
• Ensure proper disposal: Shred paper documents containing PHI when no longer needed. Use secure methods for the permanent erasure of ePHI from hard drives and other electronic media before disposal. 

Technical Safeguards

These are the technology and procedures as per hipaa breach prevention best practices:

• Encrypt ePHI. Use strong encryption, such as AES-256, for ePHI both when it is stored (“at rest”) and when it is being transmitted over a network (“in transit”).
• Implement access controls. Assign unique user IDs and require strong passwords and multi-factor authentication (MFA) to restrict access to ePHI systems.
• Use secure networks. Ensure remote access is protected through Virtual Private Networks (VPNs). Do not access PHI over unsecured Wi-Fi.
• Secure communications. Use only HIPAA-compliant, encrypted platforms for emailing or texting PHI. Warn patients about the risks of unencrypted communication and document their consent.
• Conduct regular audits. Use audit logs to track and review all activity involving ePHI. This helps detect unauthorized access attempts and potential security incidents.
• Manage cybersecurity. Protect your network with firewalls and keep all software and antivirus programs up to date with the latest security patches to defend against threats like malware.

Develop a HIPAA-Compliant App while Safeguarding Protected Health Information with Folio3 Digital Health 

Folio3 Digital Health is known for developing innovative digital healthcare solutions that prioritize patient privacy and data security. We provide HIPAA-compliant software that can improve healthcare organizations’ administrative abilities and positively impact overall patient care. Our team of experienced healthcare IT experts develops applications tailored to meet your requirements. 

Conclusion

Safeguarding PHI is a fundamental part of ethical healthcare. Each record, file, or note represents someone who has entrusted their most private information to the system. As technology evolves, so do the risks, which makes ongoing compliance and education essential. Organizations that commit to strong HIPAA law. Through training, security, and transparency, don’t just protect data; preserve trust, integrity, and confidence.

Frequently Asked Questions

What is PHI under HIPAA?

• Name
• Address
• Phone number
• Social Security number
• Medical history
• Diagnosis
• Treatment information
• Genetic information
• Biometric identifiers (e.g., fingerprints, facial images)

What kinds of information are included in PHI?

• Names
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health insurance beneficiary numbers
• Account numbers
• Certificate numbers
• Vehicle identifiers
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers
• Full face imagery
• Other identifying numbers or codes

Is there a specific list of identifiers under HIPAA?

Yes, HIPAA identifies 18 specific identifiers that, when linked with health information, are considered protected and must be secured to maintain patient privacy. These include common information like names and Social Security numbers, as well as other details such as medical record numbers, email addresses, and biometric data.

What is the difference between protected health information and ePHI (electronic PHI)?

PHI is any individually identifiable health information, while ePHI is a subset of PHI that exists in electronic form. 

Does HIPAA’s Privacy Rule apply to both paper and electronic health information?

Yes, the HIPAA Privacy Rule applies to all forms of protected health information (PHI), including electronic, paper, and oral information. 

What distinguishes patient consent from patient authorization under HIPAA?

Patient consent is a voluntary agreement for routine use and disclosure of protected health information (PHI) for treatment, payment, and healthcare operations, while HIPAA authorization is a separate, required document for other specific disclosures, such as marketing or research. Consent is often implied or obtained through initial paperwork, whereas authorization is a detailed, explicit, and separate agreement.

What is secure email for healthcare?

Secure email for healthcare is a method of sending digital information that protects sensitive patient health information (PHI) according to the Health Insurance Portability and Accountability Act (HIPAA). It uses security measures like encryption and secure protocols to ensure that PHI remains confidential, intact, and accessible only to authorized individuals. 

Why is PHI valuable to criminals?

PHI (protected health information) is valuable to criminals because it contains a comprehensive set of data, including names, social security numbers, and medical details, which can be used for long-term identity theft and fraud that is difficult for victims to undo. Unlike financial information that can be canceled, medical history and other PHI are permanent and can be used to create fake identities to commit insurance fraud, gain fraudulent prescriptions, and launch targeted scams and extortion attempts.

What is health information?

Health information refers to any data or details related to an individual’s physical or mental health, including: 

• Medical history: Past and current illnesses, diagnoses, treatments, and medications
• Test results: Lab reports, imaging studies, and other medical examinations
• Demographic information: Name, address, date of birth, and insurance status
• Lifestyle factors: Diet, exercise, smoking habits, and alcohol consumption
• Genetic information: Family medical history and genetic testing results

About the Author