Healthcare organizations have a legal obligation under HIPAA to secure protected health information (PHI) from unauthorized access or disclosure. HIPAA defines PHI as any individually identifiable health information that is created, transmitted, or maintained by a covered entity or its business associates. This includes details such as medical records, lab results, insurance information, and other health data that can be linked to an individual.
In this guide, we will explore what is protected health information under HIPAA, the potential penalties for PHI violations, and recent case studies to help providers protect this sensitive patient information.
- Healthcare organizations must protect PHI under HIPAA to prevent unauthorized access or disclosure of sensitive patient information
- Regular risk assessments, encryption, and strict access control can help reduce the risk of PHI breaches
- Covered entities under HIPAA such as healthcare providers, health plans, and clearinghouses are responsible for safeguarding PHI
- ePHI refers to electronic protected health information and is stored in EHRs and other cloud-based systems
- HIPAA violations can lead to heavy penalties, which may include fines, corrective action plans, and even imprisonment for intentional violations
PHI includes any information related to an individual's past, present, or future physical or mental health, treatment plans, and payment details for the treatment. Moreover, any individually identifiable non-health information stored in the same designated record set as health information also qualifies as PHI.
The HIPAA journal quotes this example of PHI in healthcare:
This data is protected under the HIPAA Privacy Rule, which ensures the confidentiality and security of PHI from unauthorized use. The ‘Privacy Rule’ covers both electronic and paper records, as well as verbal communication of health information.
It is important to understand what PHI is to ensure that healthcare organizations protect the appropriate types of information. Protecting too much information can unnecessarily burden the system, while protecting too little can lead to significant HIPAA violations.
Key Identifiers Of PHI
The Department of Health and Human Services (HHS) had previously outlined 18 key identifiers that classify information as PHI under HIPAA.
These identifiers include:
|
|
|
While the list is now considered outdated, it still includes personal, demographic, and health-related details that can directly or indirectly reveal an individual's identity.
What Doesn't Qualify As PHI?
Not all health-related information is considered PHI. For data to qualify as PHI under HIPAA, it must be both individually identifiable and handled by a covered entity or its business associates.
For example, de-identified health information, which removes all personally identifiable markers like names, addresses, or social security numbers, is not considered PHI and, therefore, is not subject to HIPAA regulations.
Additionally, general wellness data shared in non-healthcare contexts, such as fitness tracking information from apps, is not considered PHI unless it is managed by a healthcare provider or covered entity.
The main difference between PHI and electronic protected health information (ePHI) lies in the medium through which the information is stored and transmitted. As already established, PHI includes all forms of protected health information, whether in paper form or digital files.
ePHI specifically refers to PHI that is created, shared, or stored electronically, such as in EHRs, emails, or cloud-based databases.
Both PHI and ePHI are protected under the HIPAA Privacy Rule, while the HIPAA Security Rule focuses primarily on securing ePHI through various physical, technical, and administrative safeguards.
For more information on the HIPAA rules for protecting ePHI, refer to our comprehensive guide on HIPAA and EHR security.
HIPAA sets strict guidelines for protecting PHI and ensuring that health information is securely shared to support quality care. In this section, we will explain which entities must comply with HIPAA regulations and the potential consequences of failing to protect PHI.
What Is A Covered Entity?
Covered entities are organizations that fall under HIPAA’s regulatory framework. These include:
Healthcare Providers
Providers that electronically transmit health information are required to comply with HIPAA. These providers include, but are not limited to:
| Healthcare Clearinghouses
Healthcare clearinghouses are organizations responsible for converting non-standard healthcare data into standardized formats in line with HIPAA’s administrative rules. They play an important role in ensuring data can be securely shared across systems while maintaining compliance | Health Plans
Health plans cover organizations that arrange or pay for healthcare services. This category includes:
|
The above entities are legally required to follow HIPAA rules to ensure PHI remains confidential and secure.
What Is A Business Associate?
A business associate is any organization or individual that provides services to a covered entity which requires them to use or access PHI. This relationship means that business associates are equally responsible for safeguarding PHI and adhering to HIPAA regulations.
It is important to note that a covered health plan, healthcare provider, or healthcare clearinghouse can also act as a business associate for another covered entity, depending on the services they provide.
Penalties For PHI Violations
| Tier | Violation | Penalty |
| Tier 1 | Reasonable cause or no knowledge of the violation | Up to 1 year in jail |
| Tier 2 | Obtaining PHI under false pretenses | Up to 5 years in jail |
| Tier 3 | Obtaining PHI for malicious intent or personal gain | Up to 10 years in jail |
HIPAA violations are categorized as either civil or criminal, and the consequences can range from fines to corrective action plans, and even imprisonment. The penalties, which are determined by the Office for Civil Rights (OCR), depend on factors such as the severity of the violation.
Civil monetary penalties can range from $137 to $68,928 per violation, while criminal penalties are imposed for intentional violations, which may also include imprisonment.
For example, in 2021, Excellus Health Plan reached a $5 million settlement to resolve HIPAA violations following a 2015 data breach that exposed the PHI of nearly 9.4 million individuals.
Criminal penalties for HIPAA violations are divided into three tiers, each of which comes with potential jail time and fines as decided by a judge based on the details of the case:
The ‘HIPAA Privacy Rule’ allows permitted disclosure of PHI under specific circumstances, such as for quality improvement activities. However, both covered entities and business associates should implement comprehensive measures to safeguard PHI, especially ePHI, which is increasingly targeted by cybercriminals.
Many HIPAA compliance experts recommend adopting a defense-in-depth strategy to enhance PHI protection, which includes multiple layers of security.
Recently, there have been several significant HIPAA violations, which led to costly fines and settlements. Here are two notable examples and the lessons we can learn from each:
Heritage Valley Health System Faces $950,000 Settlement
In 2024, the Heritage Valley Health System reached a $950,000 settlement with the OCR following an investigation that exposed serious HIPAA violations. The investigation was triggered after the health system failed to perform a comprehensive risk analysis, a critical requirement for ensuring the protection of ePHI.
The OCR discovered that ‘Heritage Valley Health System’ had not developed appropriate policies and procedures to respond effectively in the event of an emergency. Additionally, no technical policies were in place to limit access to the systems containing ePHI.
Green Ridge Behavioral Health Settles For $40,000 Over HIPAA Violations
Green Ridge Behavioral Health reached a $40,000 settlement with the OCR in 2024 after an investigation revealed multiple HIPAA compliance failures. The behavioral health provider had not conducted a thorough risk analysis and failed to reduce identified risks to ePHI, resulting in the impermissible disclosure of sensitive health data for 14,000 individuals.
Further scrutiny uncovered a lack of policies to monitor activity within the provider's information systems. These shortcomings contributed to the exposure of the ePHI of thousands of patients, leading to significant legal and financial repercussions.
With a consistent increase in healthcare data breaches, it is important for healthcare organizations to implement appropriate measures to protect PHI and ensure compliance with HIPAA regulations. Adopting best practices like risk assessments, data encryption, and access controls can significantly reduce the risk of violations and protect sensitive patient data.
If you are uncertain about your organization’s ability to secure PHI, seeking professional guidance is a smart next step. You should consult HIPAA compliance experts to navigate the complex regulations and protect your organization from costly violations.
Alternatively, read our comprehensive guide to regulatory compliance for new healthcare practices for more information on safeguarding sensitive data and maintaining compliance.
