If you’re pursuing HIPAA compliance or you’re considering working with healthcare organizations, you’ve come across these three letters: PHI. Protected health information is at the core of HIPAA legislation, which was designed to better secure patients’ private data. 

Understanding what PHI is and how it must be protected is imperative for achieving HIPAA compliance and avoiding violations. 

Read on to discover what is considered PHI under HIPAA, get real examples of PHI, and learn what covered entities must do to protect this type of data. 

HIPAA PHI definition: What is protected health information?

PHI stands for Protected Health Information. 

PHI under HIPAA covers any health data created, transmitted, or stored by a HIPAA-covered entity and its business associates. It includes electronic records (ePHI), written records, lab results, x-rays, bills — even verbal conversations that include personally identifying information. 

PHI is protected by the HIPAA Privacy Rule, which requires covered entities and their business associates to safeguard protected health information. The Privacy Rule also gives patients greater control over who can access and share their personal health records. 

What is a covered entity?

Under HIPAA, a covered entity is an organization that provides medical treatment, payments, or operations. These include:

• Hospitals
• Clinics
• Pharmacies
• Doctors
• Dentists
• Psychologists
• Psychiatrists
• Chiropractors
• Healthcare providers
• Health insurance companies
• Medical Aid organizations
• HMOs
• Nursing homes

Covered entities are legally required to comply with HIPAA rules for protecting the privacy and security of PHI. 

What is a business associate?

Business associates are organizations that provide services to a covered entity and have access to PHI, such as:

• Billing companies
• Cloud service providers
• Data storage firms
• EHR providers
• Attorneys
• CPA firms
• Claims processors
• Collections agencies
• Medical device manufacturers

Covered entities and business associates must have a business associate agreement (BAA) in place to define responsibilities when it comes to safeguarding PHI. The BAA specifies what the business associate’s role is and requires it to comply with HIPAA rules. 

PHI identifiers: What does PHI include? 

The Department of Health and Human Services has defined 18 key identifiers of PHI. PHI covered under HIPAA includes:

Prescriptions, test results, diagnoses, treatment plans, billing and payment information — all of these are HIPAA PHI examples. 

To determine whether something is considered PHI, ask three questions: 

• Is your organization a covered entity or business associate of a covered entity?
• Does the information pertain to someone’s health? 
• Is that health information able to be linked to a specific person? 

If the answer is yes to all three, it qualifies as PHI and is protected under HIPAA legislation. 

Exceptions: What is not considered PHI under HIPAA?

HIPAA specifically applies to covered entities and their business associates. PHI that is created, stored, accessed, or transmitted by these organizations is protected under HIPAA regulations. But in the hands of another company, that same information is not considered PHI  and does not fall under HIPAA. 

For example, a health app that records heart rate, blood pressure or sugar, activity levels, or calorie consumption does not constitute PHI. 

Here are a few other instances where health data is not considered PHI: 

• Appointment inquiries: Names and phone numbers of potential patients who call to make an appointment. Because there’s no health information associated with this data, it’s not considered PHI. Once that person formally becomes a patient, that information becomes PHI. 
• Employee and education records: Any records concerning employee or student health, such as known allergies, blood type, or disabilities, are not considered PHI. 
• Wearable devices: Data collected by wearable devices such as heart rate monitors or smartwatches is not PHI. 
• Health and fitness apps: Data collected by or entered into a mobile fitness or health app is not PHI. 
• De-identified PHI: Health data that has had all identifiers removed and cannot be linked to a specific individual is no longer considered PHI. Organizations sometimes use de-identified PHI for statistics or research purposes. 

Requirements: What organizations must do to secure PHI

While HIPAA compliance requires organizations to take steps to protect PHI from unauthorized access, HIPAA rules do not list specific actions covered entities must take. This flexibility allows organizations to decide the measures that are most appropriate based on their size and function. A regional hospital system may have different requirements and controls in place than a small family clinic, for example. 

Covered entities do have to put safeguards in place to protect PHI against breaches. The HIPAA Security Rule outlines different administrative, physical, and technical safeguards, such as access management policies, employee training, incident response plans, document shredding, and data encryption. 

HIPAA violations: Penalties for unauthorized disclosure of PHI

Fail to protect PHI under HIPAA rules, and you could be hit with a fine by the Department of Health and Human Services Office for Civil Rights. Violations can be costly — and not just in terms of money. A violation or breach can permanently damage your organization’s reputation and erode patient trust. 

Here are a few common PHI violations to avoid.

Mismanaging access to PHI

PHI should only be viewed for treatment, payment, or healthcare operations. Any shared access to PHI must be authorized by the patient. You’ll also need to ensure PHI is securely and permanently destroyed when it’s no longer needed. 

Part of managing PHI access is also responding promptly to a patient’s request for their medical records. 

Sale of PHI under HIPAA

Covered entities and business associates may not sell PHI without authorization from the patient. 

Organizations that knowingly disclose or sell PHI without proper authorization face a HIPAA violation fine of up to $50,000 and 1 year in prison. 

Minimum Necessary Rule

While it’s common for healthcare providers to request access to a patient’s complete medical history, they may also request access to specific PHI. The Minimum Necessary Rule states that covered entities should only disclose PHI that’s directly relevant to the request. 

In either case, PHI can only be disclosed to a third party with patient authorization, unless directly related to healthcare treatment, payment, or operations. 

Breach Notification Rule

In the event of a breach of unsecured PHI, a covered entity must notify any affected individuals within 60 days. Failure to do so is a violation of the HIPAA Breach Notification Rule. Business associates who discover a breach are also required to notify the covered entity within 60 days. 

Protect PHI and achieve HIPAA compliance with Secureframe

HIPAA compliance ensures covered entities and business associates take tangible steps to protect sensitive patient data. And it motivates organizations to maintain and improve those security measures — or face costly violations. 

Secureframe helps organizations of all sizes protect PHI by simplifying the HIPAA compliance process into a few key steps:

• Create HIPAA privacy and security policies
• Train employees on best practices for protecting PHI
• Manage vendors and business associates with access to PHI
• Monitor your PHI safeguards and get notified of any nonconformities 

Learn more about how you can automate your HIPAA compliance today.