HIPAA Protects a Category of Information: Protected Health Information (PHI)

Overview of Protected Health Information

Protected Health Information (PHI) is the centerpiece of HIPAA. It refers to individually identifiable health information that a covered entity or its business associate creates, receives, maintains, or transmits about a person’s health status, the healthcare provision they receive, or healthcare payment data.

PHI can exist in any form—oral, paper, or electronic—and includes data elements that can identify an individual when linked to health details. Not every wellness or consumer app record is PHI; it becomes PHI when the information is tied to a person and handled by a HIPAA-regulated organization.

Information that has been properly de-identified is not PHI. A “limited data set” remains regulated and may be used for specific purposes under a data use agreement because certain indirect identifiers are still present.

Criteria for PHI Classification

Information qualifies as PHI when all of the following are true:

• It is individually identifiable health information (directly or indirectly points to a person).
• It relates to health conditions, healthcare provision records, or payment for care.
• It is created, received, maintained, or transmitted by a covered entity or a business associate.
• It has not been de-identified under recognized methods.

Information that is not PHI includes de-identified datasets, employment records held by an employer, education records protected by other laws, and aggregated statistics that cannot identify an individual. Consumer-generated data that never touches a covered entity or business associate typically falls outside HIPAA.

Edge cases matter. Research data may be PHI when sourced from clinical systems. Data shared with a provider through an integration can become PHI even if it originated in a consumer app. Certain decedent information also remains protected for a defined period.

Covered Entities Handling PHI

Covered entities include health plans, healthcare clearinghouses, and healthcare providers who conduct standard electronic transactions. These organizations determine how PHI is used and disclosed and must meet HIPAA compliance requirements at the policy and technical levels.

Business associates—such as cloud service providers, billing companies, EHR vendors, telehealth platforms, transcription services, analytics firms, and health information exchanges—handle PHI on behalf of covered entities. They must sign business associate agreements (BAAs) and implement safeguards comparable to those of their clients.

Both covered entities and business associates are responsible for risk analysis, workforce training, access controls, incident response planning, vendor oversight, and ongoing governance to ensure PHI remains protected across its lifecycle.

Types of Information Included in PHI

PHI spans a broad range of data categories, from direct identifiers to clinical content and operational details connected to care and billing. Common examples include:

• Identifiers: names, addresses, dates, phone numbers, email addresses, medical record numbers, account numbers, Social Security numbers, device identifiers, IP addresses, biometric identifiers, and full-face photos.
• Clinical information: diagnoses, medications, lab results, images, allergies, care plans, progress notes, and other healthcare provision records.
• Healthcare payment data: claims, explanation of benefits, premiums, eligibility, prior authorizations, and remittance details.
• Operations and support: scheduling data, case management notes, utilization review, quality improvement records, and call recordings tied to a patient.
• Digital traces: patient portal messages, secure chat transcripts, metadata, and audit logs that can be linked back to an individual’s healthcare.

Legal Requirements for PHI Protection

HIPAA’s core HIPAA compliance requirements flow from the Privacy Rule, Security Rule, and Breach Notification Rule. Together, they govern how PHI may be used or disclosed, and the safeguards organizations must employ.

The Privacy Rule permits use and disclosure for treatment, payment, and healthcare operations without authorization, while imposing the “minimum necessary” standard elsewhere. It also requires a Notice of Privacy Practices and grants individuals rights to access, amend, and receive an accounting of certain disclosures.

The Security Rule requires administrative, physical, and technical safeguards for electronic PHI. Key practices include risk analysis, role-based access, authentication, audit controls, integrity protections, contingency planning, and encryption as a reasonable and appropriate measure for data in transit and at rest.

Governance expectations include written policies, BAAs with vendors, workforce training and sanctions, periodic evaluations, and documentation retention for required periods. These form the day-to-day framework for protecting PHI.

PHI Transmission and Storage Standards

HIPAA is technology-neutral, but organizations must implement reasonable and appropriate controls. Effective PHI transmission protocols and storage practices typically include:

• In transit: use of TLS for web portals and APIs, secure email (e.g., S/MIME), VPN or IPSec tunnels for network links, and secure file transfer methods such as SFTP/FTPS. Health data standards like HL7 or FHIR should ride over encrypted channels with strong authentication.
• At rest: strong encryption (such as AES), sound key management, full-disk or volume encryption, database/column encryption where needed, and encrypted, immutable backups.
• Access management: least-privilege roles, multi-factor authentication, session timeouts, device security controls, and network segmentation to reduce blast radius.
• Monitoring and resilience: comprehensive audit logging, alerting, vulnerability and patch management, tested disaster recovery and business continuity objectives, and regular tabletop exercises.
• Vendors and cloud: BAAs, documented data flows, data loss prevention where appropriate, secure deletion processes, and prevention of PHI in lower-environment test data.

Documenting these controls, validating them through routine assessments, and training your workforce ensure that PHI transmission and storage remain aligned with evolving risks.

Consequences of PHI Breaches

A breach is the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. Unless a documented risk assessment shows a low probability of compromise, you must treat an incident as a breach and act promptly.

Under data breach notification rules, affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. For incidents affecting 500 or more individuals in a state or jurisdiction, you must also notify the U.S. Department of Health and Human Services and, in many cases, prominent media. Smaller breaches require individual notices and annual reporting.

Regulatory exposure includes investigations by the Office for Civil Rights, tiered civil monetary penalties based on culpability, and corrective action plans with ongoing monitoring. Criminal penalties may apply for knowing misuse. State attorneys general, contractual partners, and class actions can add significant financial and reputational risk.

Operational fallout spans incident response costs, service disruption, forensic analysis, remediation projects, and patient support such as credit or identity monitoring. Strengthening controls and re-running your risk analysis are essential parts of post-incident recovery.

Proactive preparation is the best defense: maintain an incident response plan, practice it, preserve logs, engage qualified forensic support, apply rapid containment, and communicate clearly with stakeholders. These steps reduce harm and speed compliance.

Conclusion: Treat PHI as a high-value asset. By understanding what counts as PHI, how covered entities and vendors must handle it, and the standards for transmission, storage, and breach response, you can build a robust, durable compliance posture.

FAQs

What information qualifies as Protected Health Information?

PHI is individually identifiable health information connected to a person’s past, present, or future health, the healthcare provision they receive, or healthcare payment data, when created or held by a covered entity or its business associate. It includes identifiers and any linked clinical, billing, or operational details.

How do covered entities manage PHI compliance?

Covered entities implement HIPAA compliance requirements through policies, workforce training, BAAs with vendors, risk analysis, access controls, encryption, monitoring, and contingency planning. They also honor individual rights and enforce the minimum necessary standard across routine operations.

What are the penalties for PHI violations?

Penalties range from corrective action plans and tiered civil monetary fines to, in severe or intentional cases, criminal charges. Beyond regulatory exposure, organizations may face state actions, contract penalties, class litigation, remediation costs, and lasting reputational harm.

How is PHI securely transmitted and stored?

Organizations use PHI transmission protocols such as TLS-secured web portals and APIs, secure email, VPNs, and SFTP/FTPS, and they encrypt data at rest with strong key management. Layered controls—RBAC, MFA, logging, segmentation, backups, and tested recovery—protect PHI throughout its lifecycle.