What Is Protected Health Information (PHI)? A Guide For Healthcare Professionals

Key Takeaways: 

• Healthcare organizations must protect PHI under HIPAA to prevent unauthorized access or disclosure of sensitive patient information 
• Regular risk assessments, encryption, and strict access control can help reduce the risk of PHI breaches 
• Covered entities under HIPAA such as healthcare providers, health plans, and clearinghouses are responsible for safeguarding PHI 
• ePHI refers to electronic protected health information and is stored in EHRs and other cloud-based systems 
• HIPAA violations can lead to heavy penalties, which may include fines, corrective action plans, and even imprisonment for intentional violations 

Healthcare organizations have a legal obligation under HIPAA to secure protected health information (PHI) from unauthorized access or disclosure. HIPAA defines PHI as any individually identifiable health information that is created, transmitted, or maintained by a covered entity or its business associates. This includes details such as medical records, lab results, insurance information, and other health data that can be linked to an individual. 

In this guide, we will explore what is protected health information under HIPAA, the potential penalties for PHI violations, and recent case studies to help providers protect this sensitive patient information. 

PHI includes any information related to an individual's past, present, or future physical or mental health, treatment plans, and payment details for the treatment. Moreover, any individually identifiable non-health information stored in the same designated record set as health information also qualifies as PHI.

The HIPAA journal quotes this example of PHI in healthcare: 

“If a covered entity records 'Mr. Jones has a broken leg,' both the personal identifier ('Mr. Jones') and the health-related information ('broken leg') are protected under HIPAA." 

This data is protected under the HIPAA Privacy Rule, which ensures the confidentiality and security of PHI from unauthorized use. The ‘Privacy Rule’ covers both electronic and paper records, as well as verbal communication of health information.

It is important to understand what PHI is to ensure that healthcare organizations protect the appropriate types of information. Protecting too much information can unnecessarily burden the system, while protecting too little can lead to significant HIPAA violations. 

Key Identifiers Of PHI 

The Department of Health and Human Services (HHS) had previously outlined 18 key identifiers that classify information as PHI under HIPAA.

These identifiers include: 

Names Identifying geographic information Telephone numbers Dates [except for the year] that relate to birth, death, admission or discharge Fax numbers Email address

Social security number Medical record numbers Health plan beneficiary numbers Account numbers Certificate numbers Vehicle identifiers such as VIN numbers or license plates

Device identifiers and serial numbers Web addresses or URLs  IP addresses Full face images Biometric data such as fingerprints Any other information that could identify an individual

While the list is now considered outdated, it still includes personal, demographic, and health-related details that can directly or indirectly reveal an individual's identity. 

What Doesn't Qualify As PHI? 

Not all health-related information is considered PHI. For data to qualify as PHI under HIPAA, it must be both individually identifiable and handled by a covered entity or its business associates.

For example, de-identified health information, which removes all personally identifiable markers like names, addresses, or social security numbers, is not considered PHI and, therefore, is not subject to HIPAA regulations.

Additionally, general wellness data shared in non-healthcare contexts, such as fitness tracking information from apps, is not considered PHI unless it is managed by a healthcare provider or covered entity. 

The main difference between PHI and electronic protected health information (ePHI) lies in the medium through which the information is stored and transmitted. As already established, PHI includes all forms of protected health information, whether in paper form or digital files.

ePHI specifically refers to PHI that is created, shared, or stored electronically, such as in EHRs, emails, or cloud-based databases. 

Both PHI and ePHI are protected under the HIPAA Privacy Rule, while the HIPAA Security Rule focuses primarily on securing ePHI through various physical, technical, and administrative safeguards. 

For more information on the HIPAA rules for protecting ePHI, refer to our comprehensive guide on HIPAA and EHR security. 

HIPAA sets strict guidelines for protecting PHI and ensuring that health information is securely shared to support quality care. In this section, we will explain which entities must comply with HIPAA regulations and the potential consequences of failing to protect PHI. 

What Is A Covered Entity? 

Covered entities are organizations that fall under HIPAA’s regulatory framework. These include:

Healthcare Providers   Providers that electronically transmit health information are required to comply with HIPAA. These providers include, but are not limited to: Hospitals  Clinics  Doctors  Dentists  Chiropractors  Psychologists

Healthcare Clearinghouses   Healthcare clearinghouses are organizations responsible for converting non-standard healthcare data into standardized formats in line with HIPAA’s administrative rules. They play an important role in ensuring data can be securely shared across systems while maintaining compliance

Health Plans   Health plans cover organizations that arrange or pay for healthcare services. This category includes: Health insurance companies  Government-funded programs like Medicare  Health maintenance organizations (HMOs)  Military and veterans’ healthcare programs

The above entities are legally required to follow HIPAA rules to ensure PHI remains confidential and secure. 

What Is A Business Associate? 

A business associate is any organization or individual that provides services to a covered entity which requires them to use or access PHI. This relationship means that business associates are equally responsible for safeguarding PHI and adhering to HIPAA regulations. 

The Centers for Medicare and Medicaid Services (CMS) outline the following three examples of business associates: 

• A consultant who performs utilization reviews for a hospital 
• A third-party administrator that handles claims processing for a health plan 
• An independent medical transcriptionist who provides transcription services to a physician 

It is important to note that a covered health plan, healthcare provider, or healthcare clearinghouse can also act as a business associate for another covered entity, depending on the services they provide. 

Penalties For PHI Violations 

HIPAA violations are categorized as either civil or criminal, and the consequences can range from fines to corrective action plans, and even imprisonment. The penalties, which are determined by the Office for Civil Rights (OCR), depend on factors such as the severity of the violation.

Civil monetary penalties can range from $137 to $68,928 per violation, while criminal penalties are imposed for intentional violations, which may also include imprisonment. 

For example, in 2021, Excellus Health Plan reached a $5 million settlement to resolve HIPAA violations following a 2015 data breach that exposed the PHI of nearly 9.4 million individuals. 

Criminal penalties for HIPAA violations are divided into three tiers, each of which comes with potential jail time and fines as decided by a judge based on the details of the case: 

Tier	Violation	Penalty
Tier 1	Reasonable cause or no knowledge of the violation	Up to 1 year in jail
Tier 2	Obtaining PHI under false pretenses	Up to 5 years in jail
Tier 3	Obtaining PHI for malicious intent or personal gain	Up to 10 years in jail

The ‘HIPAA Privacy Rule’ allows permitted disclosure of PHI under specific circumstances, such as for quality improvement activities. However, both covered entities and business associates should implement comprehensive measures to safeguard PHI, especially ePHI, which is increasingly targeted by cybercriminals. 

Many HIPAA compliance experts recommend adopting a defense-in-depth strategy to enhance PHI protection, which includes multiple layers of security. Key best practices include: 

• Data encryption on all devices 
• Firewall protection 
• Auditing solutions 
• Physical security controls 
• Intrusion detection systems 

Recently, there have been several significant HIPAA violations, which led to costly fines and settlements. Here are two notable examples and the lessons we can learn from each: 

Heritage Valley Health System Faces $950,000 Settlement 

In 2024, the Heritage Valley Health System reached a $950,000 settlement with the OCR following an investigation that exposed serious HIPAA violations. The investigation was triggered after the health system failed to perform a comprehensive risk analysis, a critical requirement for ensuring the protection of ePHI. 

The OCR discovered that ‘Heritage Valley Health System’ had not developed appropriate policies and procedures to respond effectively in the event of an emergency. Additionally, no technical policies were in place to limit access to the systems containing ePHI. 

Lessons To Learn: 

• Conduct regular and comprehensive risk analyses to identify and mitigate potential risks to ePHI 
• Establish clear technical policies and procedures that restrict access to ePHI systems 
• Ensure emergency response plans are in place to safeguard health data during unforeseen events 

Green Ridge Behavioral Health Settles For $40,000 Over HIPAA Violations 

Green Ridge Behavioral Health reached a $40,000 settlement with the OCR in 2024 after an investigation revealed multiple HIPAA compliance failures. The behavioral health provider had not conducted a thorough risk analysis and failed to reduce identified risks to ePHI, resulting in the impermissible disclosure of sensitive health data for 14,000 individuals. 

Further scrutiny uncovered a lack of policies to monitor activity within the provider's information systems. These shortcomings contributed to the exposure of the ePHI of thousands of patients, leading to significant legal and financial repercussions. 

Lessons To Learn: 

• Perform comprehensive risk analyses regularly to assess vulnerabilities and protect patient data 
• Implement proper monitoring procedures to track access and activity within ePHI systems 
• Ensure that ePHI is safeguarded through appropriate risk-reduction measures 

With a consistent increase in healthcare data breaches, it is important for healthcare organizations to implement appropriate measures to protect PHI and ensure compliance with HIPAA regulations. Adopting best practices like risk assessments, data encryption, and access controls can significantly reduce the risk of violations and protect sensitive patient data. 

If you are uncertain about your organization’s ability to secure PHI, seeking professional guidance is a smart next step. You should consult HIPAA compliance experts to navigate the complex regulations and protect your organization from costly violations. 

Alternatively, read our comprehensive guide to regulatory compliance for new healthcare practices for more information on safeguarding sensitive data and maintaining compliance. 

What is considered protected health information? 

Protected Health Information (PHI) includes any information about an individual's health status, treatment, or payment for healthcare that can identify the person. 

What is an example of protected health information?

An example of PHI is a medical record that includes a patient's name, diagnosis, and treatment history. 

What is considered protected health information in an EMR? 

In an EMR, PHI includes all patient-related data such as medical history, treatment plans, and billing information, which must be securely managed according to HIPAA data storage requirements. 

What is PHI?

PHI stands for ‘Protected Health Information’, which refers to any personal health data that is safeguarded under the HIPAA Privacy Rule. 

What is ePHI? 

ePHI stands for ‘Electronic Protected Health Information’, which refers to PHI that is stored or transmitted electronically. 

What does PHI stand for in HIPAA? 

In HIPAA, PHI stands for ‘Protected Health Information’, which refers to sensitive health data that must be protected according to privacy and security regulations.