What is Protected Health Information (PHI)?

Learn what protected health information (PHI) is, who’s subject to HIPAA laws around PHI, what identifiers fall under PHI, and more.

Icon of a phone with a medical notification
Read time:
Share this post
Table of contents
⚡ Key takeaways
  • Protected health information (PHI) refers to specific types of medical information that can be tied back to an individual person, which is collected or used by healthcare providers and other entities covered by HIPAA.
  • HIPAA's Security Rule requires covered entities to implement physical, administrative, and technical safeguards to protect against any threat considered “reasonably anticipated.”
  • Some ways you can remove risks from your patient identity verification process include working with a HIPAA-compliant IDV provider, automating as much of your IDV process as possible to reduce the possibility of inappropriate access, and partnering with an IDV solution that will store PII for you.

Every day, a wide range of organizations — from healthcare providers to insurance companies, dentists, pharmacies, and more — collect, create, store, or otherwise interact with sensitive patient data known as protected health information (PHI). These businesses must meet strict security and privacy requirements established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) — or else face significant fines and legal actions. 

But what counts as PHI? How does it differ from other forms of consumer data? And, perhaps most importantly, what steps should an organization take to ensure that this information is adequately protected?

Below, we answer these and other questions you may have about protected health information so you’ll be better equipped to comply with HIPAA and related regulations. 

What is protected health information (PHI)?

Protected health information (PHI) refers to specific types of medical information that can be tied back to an individual person, which is collected or used by healthcare providers and other entities covered by HIPAA.

To fully understand what PHI is, it’s important to break down the different ways medical information can be segmented. This includes health information, individually identifiable health information (IIHI), and finally, protected health information as defined by HIPAA.

Health information is any information related to an individual’s physical and mental health, the treatment they receive, and how they pay for this treatment. Importantly, this includes information about the past, present, and future. It’s important to note that the information must be created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse to qualify as health information. 

Individually identifiable health information (IIHI) is a subset of health information. Specifically, the term refers to demographic information, contact information, and geographic information about an individual that is related to their care and which either directly identifies, or has the reasonable potential to identify, the individual.

Protected health information (PHI), then, is any individually identifiable health information specifically transmitted by or maintained in electronic media, or in any other form. 

What is ePHI?

ePHI, or electronic protected health information, is a term used to refer to protected health information that is collected, saved, or transmitted in an electronic form. Some examples of ePHI include protected health information collected via a website or web application, sent by email, or digitized from physical copies. 

Whether ePHI is stored as a digital file on a local device, on a disk or flash drive, or in the cloud, it is protected by the same provisions of HIPAA that apply to all protected health information. With this ubiquity in mind, when most modern healthcare organizations (and other covered entities) talk about PHI, they’re really talking about ePHI. 

Who’s subject to HIPAA laws about PHI?

The companies, businesses, and other organizations subject to HIPAA’s requirements are known as covered entities. These covered entities include:

  • Health insurance companies
  • Company health plans
  • HMOs
  • Government health programs (Medicare/Medicaid)
  • Doctors
  • Hospitals
  • Pharmacies
  • Clinics
  • Psychologists
  • Dentists
  • Nursing homes
  • Other healthcare providers
  • Healthcare clearinghouses

In addition to the entities above, any company that works with a covered entity, even if they are not themselves a covered entity, must comply with various pieces of HIPAA — including the Privacy Rule and Security Rule. This includes, but isn’t limited to:

  • Companies that collect, store, and destroy medical records
  • Companies that provide billing services for a covered entity
  • Companies that process healthcare claims
  • Companies that administer health plans
  • Outside professionals such as IT specialists, lawyers, and accountants
  • Subcontractors hired by these organizations

As a rule of thumb, any company that is or that interacts with a covered entity should assume they are subject to HIPAA.

It’s also important to note that even businesses that are not covered entities under HIPAA still have an incentive to protect sensitive consumer information, regardless of whether they are required to do so by law or not. Failure to do so can result in significant loss of customer trust, which can prove catastrophic to any business built on trust. 

What identifiers fall under protected health information?

When HIPAA was passed into law, it established a list of 18 identifiers. If a piece of health data contains any of these 18 identifiers, it’s considered protected health information. These identifiers include a person’s:

  • Name
  • Address
  • Birth date, date of admission, discharge date (other than the year)
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate or license numbers
  • Vehicle identifiers, including license plate numbers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Fingerprints and voiceprints 
  • Photographic images (not limited to the individual’s face)
  • Any other uniquely identifiable characteristics

It’s important to note that this information is typically only considered PHI when it’s collected or used by a covered entity. If it’s created by a business or organization that isn’t a covered entity (and doesn’t interact in any way with a covered entity), it’s not necessarily protected under HIPAA. 

Likewise, information that is de-identified (stripped of all personal identifiers) is no longer considered PHI.

How is protected health information used?

At its core, protected health information is primarily used to identify an individual in a healthcare setting and ensure they are receiving appropriate care. 

Before a doctor or nurse begins treating a patient, for example, they will typically ask that patient for their name and birthdate. Then, they’ll cross-check this with the information stored within the patient’s chart or medical record to ensure they are delivering care (whatever it may be) to the correct patient.

Certain PHI also makes it possible for a healthcare provider to track a patient’s care over time. When a patient receives care from a given provider, for example, records of that care will be labeled with a medical record number tied specifically to that individual. Using this number, a provider can pull up a patient’s records as necessary to check on past diagnoses, treatment plans, etc. 

When it is anonymized and de-identified, PHI is also often used by researchers trying to glean insights into healthcare trends.

How to defend against PHI hacks

Covered entities are required to protect and secure PHI against unauthorized access and other types of impermissible use under HIPAA’s Security Rule. This rule specifically requires covered entities to implement physical, administrative, and technical safeguards to protect against any threat considered “reasonably anticipated.”

Physical safeguards are measures taken to secure physical copies of PHI or physical devices that store PHI. Limiting access to facilities (or parts of facilities) containing PHI is one such physical safeguard. Implementing policies for workstation and device security is another. 

Administrative safeguards are the administrative processes and policies an organization implements to secure PHI. Employee training and the implementation of identity and access management (IAM) are examples of administrative safeguards.

Technical safeguards are measures taken specifically to secure ePHI. They include implementing policies around access control, audit control, integrity control, and transmission security. In practice, examples of technical safeguards might include the use of encryption, firewalls, and other technologies. 

Learn more about best practices for securing health data

Chat with a product expert
Ask about Persona's secure data storage

How to verify patient identity safely

If your company is subject to the PHI rules established by HIPAA — as a covered entity, business associate, or third-party organization — it’s crucial to keep these requirements in mind when designing any processes related to data. This includes your organization’s Know Your Patient (KYP) and patient identity verification processes. 

Some ways you can remove risks from your patient identity verification process include:

  • Working with a HIPAA-compliant IDV provider
  • Automating as much of your IDV process as possible to reduce the possibility of inappropriate access
  • Partnering with an IDV solution that will store PII for you

Here at Persona, security and privacy form the bedrock of who we are. Our identity solutions are compliant not only with HIPAA, but also with GDPR, FERPA, CCPA/CPRA, and other state and federal regulations. We’re also proud to offer PII storage for all of our customers so you can spend less time worrying about security and more time running your business. 

Interested in learning more? See how we helped an online prescription service deploy identity verification to stay compliant with HIPAA and other regulations.

Ready to get started? Request a demo today. 

Frequently asked questions

What are some examples of PHI?

Any medical information or record that contains one or more of the 18 identifiers defined by HIPAA is considered protected health information. Some examples include:

  • Test results (blood, urine, STI, etc.)
  • Medical scans (X-rays, MRIs, CT scans, ultrasounds, etc.)
  • Billing information from a healthcare provider
  • Communications, such as an email scheduling an appointment
  • Phone records

Importantly, health data that does not include personally identifiable information is not considered PHI. Examples of this might include blood sugar readings that are not recorded with PII, or the number of steps recorded in a pedometer.

Is there a difference between PHI and HIPAA?

Yes. HIPAA is the law that establishes an individual’s privacy and security rights as they relate to medical and health records. As such, HIPAA defines PHI (as well as other categories of health data). PHI is just one small piece of the broader legislation that is HIPAA.

What information is not covered by HIPAA?

HIPAA specifically notes that certain individually identifiable health information is not considered protected health information. This includes health information that is:

  • In an education record covered by the Family Educational Rights and Privacy Act (FERPA)
  • In employment records held by a covered entity, specifically in its role as an employer
  • Related to a person who has been dead for at least 50 years. 

Additionally, as noted above, PHI that has been de-identified or anonymized is no longer considered PHI.

How is a patient’s identity authenticated?

During patient intake or onboarding, a patient’s identity is typically verified through the collection of the patient’s government-issued ID, health insurance cards, and other information. 

Once the patient’s identity has been verified, it can be authenticated in the future in any of a variety of ways. This might include re-checking the individual’s ID and insurance information; asking the patient to provide information (like their name and birthdate) prior to receiving care; or, in a digital setting, asking the patient to take and submit a selfie, which will be compared against a photo on record.

Continue reading

Continue reading

Know Your Employee (KYE): How identity verification fits in the picture
Know Your Employee (KYE): How identity verification fits in the picture

Know Your Employee (KYE): How identity verification fits in the picture

A thorough Know Your Employee (KYE) process helps you verify the identity, credentials, and background of new and existing employees to control for fraud.

Data subject access requests for the GDPR
Data subject access requests for the GDPR

Data subject access requests for the GDPR

Learn about data subject access requests (DSARs) for the GDPR and individuals’ rights to access their personal data.

Online KYC during user onboarding
Online KYC during user onboarding

Online KYC during user onboarding

Many businesses need to have a KYC process for onboarding new users. Learn what's required, common steps, and more.

5 best practices for securing health data

5 best practices for securing health data

Healthcare organizations must prioritize data security to protect patient information and ensure regulatory compliance. Learn how.

Cloud security in healthcare: Key considerations

Cloud security in healthcare: Key considerations

Learn about the key considerations in any healthcare cloud security environment.

Know Your Patient (KYP): How to mitigate healthcare fraud

Know Your Patient (KYP): How to mitigate healthcare fraud

KYP is a necessary measure of protection for all sectors of the healthcare space. Learn more.

Ready to get started?

Get in touch or start exploring Persona today.