What is PHI? Protected Health Information Explained: Complet
Understanding Protected Health Information (PHI) - what it is, what's covered under HIPAA, and how to handle it properly.
What is PHI (Protected Health Information)?
PHI stands for Protected Health Information—any health information that can be linked to a specific individual. Under HIPAA, PHI is protected by law and must be handled with specific privacy and security measures.
The 18 HIPAA Identifiers
Health information becomes PHI when combined with any of these 18 identifiers:
| # | Identifier | Examples | |---|------------|----------| | 1 | Names | Full name, maiden name | | 2 | Geographic subdivisions | Street address, city, zip code | | 3 | All elements of dates | Birth date, admission date, death date | | 4 | Telephone numbers | Home, work, mobile | | 5 | Fax numbers | | | 6 | Email addresses | | | 7 | Social Security numbers | | | 8 | Medical record numbers | | | 9 | Health plan beneficiary numbers | Insurance ID numbers | | 10 | Account numbers | Patient account numbers | | 11 | Certificate/license numbers | Medical license numbers | | 12 | Vehicle identifiers | License plate numbers | | 13 | Device identifiers | Serial numbers of medical devices | | 14 | Web URLs | IP addresses, URLs | | 15 | IP addresses | | | 16 | Biometric identifiers | Fingerprints, voice prints | | 17 | Full-face photos | Photographs | | 18 | Any other unique identifying number | |
What Makes Information "PHI"?
For information to be considered PHI under HIPAA, it must meet all three criteria:
- ✅ Health information (diagnoses, treatment, payment)
- ✅ Identifiable (contains one or more of the 18 identifiers)
- ✅ Held by a covered entity (healthcare provider, health plan, clearinghouse)
Not PHI:
- Health information held by your phone's fitness app
- Information on your personal wearable device
- Data from apps not covered by HIPAA
De-identification: Removing PHI
Information can be shared without HIPAA restrictions if it's de-identified. Two methods:
Method 1: Safe Harbor
Remove all 18 identifiers +:
- No actual knowledge that remaining info could identify the individual
Method 2: Expert Determination
A statistical/scientific expert certifies that:
- Risk of re-identification is very small
- Methods used were documented
Common PHI Examples
| Scenario | Is it PHI? | Why? | |----------|-----------|------| | "Patient has diabetes" | Maybe | Need to check if identifiable | | "John Smith has diabetes" | Yes | Contains name (identifier #1) | | "Patient in ZIP 90210 has diabetes" | Yes | Contains geographic subdivision | | "Patient over 65 has diabetes" | No | Age alone isn't an identifier | | Medical record with MRN only | Yes | MRN is identifier #8 |
PHI in Electronic Form (ePHI)
When PHI is stored electronically, it's called ePHI and requires additional security:
- Access controls: Unique user IDs, passwords
- Encryption: For data at rest and in transit
- Audit controls: Logging access and changes
- Integrity controls: Protecting from alteration
- Transmission security: Secure messaging
Minimum Necessary Standard
HIPAA requires using the minimum necessary PHI:
- For treatment: No minimum necessary requirement
- For payment/payment operations: Use only what's needed
- For all other purposes: Limit to what's reasonably necessary
PHI vs. Other Data Terms
| Term | Definition | HIPAA Coverage? | |------|------------|-----------------| | PHI | Individually identifiable health information | Yes | | ePHI | Electronic PHI | Yes | | PII | Personally Identifiable Information (general) | Maybe | | PFI | Personal Financial Information | No | | De-identified data | Data with identifiers removed | No |
Handling PHI Properly
For Healthcare Providers:
- Limit access to those who need it
- Use secure methods for transmission
- Implement safeguards (technical, physical, administrative)
- Train staff regularly
- Have breach procedures in place
For Patients:
- Know your rights regarding your PHI
- Ask how your data is used before sharing
- Review privacy notices carefully
- Report violations promptly
Breaches of PHI
A breach occurs when PHI is:
- Improperly disclosed
- Lost or stolen
- Accessed without authorization
Breach notification requirements:
- <500 individuals: Notify within 60 days
- ≥ 500 individuals: Notify within 60 days + media + HHS
Summary
Understanding PHI is fundamental to HIPAA compliance:
- PHI = Health info + identifiers + covered entity
- 18 specific identifiers create the link to individuals
- De-identification removes HIPAA restrictions
- ePHI requires additional security measures
- Minimum necessary principle limits unnecessary access
For more information:
Disclaimer: This is educational information and not legal advice.
Related Articles
HIPAA Rights: A Patient: Complete Patient Guide | WellAlly
Understanding your HIPAA rights as a patient, including access to records, privacy protections, and what to do if your rights are violated.
HIPAA Compliance Guide for Healthcare Providers: Complete Pa
A comprehensive guide for healthcare providers on HIPAA compliance, including Privacy Rule, Security Rule, and Breach Notification Rule.