Is Cost Data Protected by HIPAA? What Counts as PHI and How to Stay Compliant

Definition of Protected Health Information

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is individually identifiable health information created or received by Covered Entities or their Business Associates that relates to a person’s past, present, or future health, the provision of care, or payment for that care. PHI can exist in paper, verbal, or Electronic PHI (ePHI) form.

Information becomes PHI when it both identifies (or could reasonably identify) an individual and pertains to health, care delivery, or payment. If either element is missing, HIPAA does not apply. The HIPAA Security Rule specifically governs how you safeguard ePHI.

• Who handles it: Covered Entities (providers, health plans, clearinghouses) and Business Associates (vendors handling PHI for them).
• What it covers: Any identifiable data about health, care, or payment tied to a person.
• Where it lives: Designated record sets such as medical, billing, and claims records.

Classification of Cost Data as PHI

Cost data is PHI when it is identifiable and relates to “payment for health care.” If a billing amount, estimate, claim, or patient balance can be linked to a specific individual, it qualifies as PHI and must be protected under the HIPAA Privacy Rule and Security Rule.

Examples that are PHI

• Itemized patient bills, statements, or explanations of benefits containing names, account numbers, dates of service, or other identifiers.
• Pre-service cost estimates and patient responsibility amounts tied to a specific patient or guarantor.
• Claims, remittances, and prior-authorization amounts associated with an individual.

Examples that are not PHI

• Publicly posted chargemasters, standard cash prices, or payer fee schedules not linked to a person.
• Aggregated or de-identified cost analytics where no individual can be identified.

Borderline cases require caution. A “limited data set” (with most direct identifiers removed) is still PHI and requires a data use agreement. When in doubt, apply the minimum necessary standard and assess whether re-identification risk exists.

Identifiers Included in PHI

HIPAA’s de-identification “safe harbor” lists the direct identifiers that, if present, make data identifiable. Cost data containing any of the following is PHI:

• Names
• Geographic details smaller than a state (for example, street address, city, ZIP code)
• All elements of dates (except year) related to an individual; ages over 89 may require aggregation
• Telephone numbers and fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (for example, fingerprints, voiceprints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

Exclusions from PHI Coverage

• De-identified information where re-identification risk is not reasonable.
• Limited data sets used under a data use agreement (still PHI, but with fewer direct identifiers).
• Education records covered by FERPA and employment records held by a Covered Entity in its role as employer.
• Information about a person deceased for 50 years or more.
• General market prices, chargemasters, and published rate sheets not linked to an individual.
• Data handled by organizations that are neither Covered Entities nor Business Associates (HIPAA may not apply, though other laws could).

HIPAA Compliance Requirements

First determine your role. If you are a Covered Entity, you must implement the HIPAA Privacy Rule and, for Electronic PHI, the HIPAA Security Rule. If you are a Business Associate, you must sign Business Associate Agreements (BAAs) and meet applicable Security Rule and contract obligations.

Key Privacy Rule practices include defining your designated record set, honoring the individual right of access (generally within 30 days), applying the minimum necessary standard for payment and operations, managing authorizations when required, and providing a Notice of Privacy Practices where applicable.

Governance is essential. Designate a Privacy Officer and a Security Official, maintain written policies and procedures, train your workforce, verify identities before disclosure, and maintain documentation for at least six years. Track and respond to requests for amendments and accountings of disclosures.

For incidents, follow the Breach Notification Rule: assess risk, mitigate promptly, and notify affected individuals without unreasonable delay and no later than 60 days after discovery if a breach of unsecured PHI occurred.

Fee Policies for Accessing PHI

Under HIPAA’s right of access, you may charge only a reasonable, cost-based fee to provide copies of PHI. This applies to cost data contained in the designated record set when an individual requests access.

Permitted fee components

• Labor for copying (paper or electronic), including creating and transmitting a deliverable file.
• Supplies for creating the copy (for example, paper, USB drive).
• Postage if the individual requests mailed copies.
• Preparing a summary or explanation if the individual agrees in advance.

Prohibited or restricted charges

• No fees for retrieval, verification, or maintaining systems.
• Per-page fees are generally not permitted for Electronic PHI.
• Do not condition access on payment of unrelated balances.

Offer the format the individual requests if readily producible (for example, machine-readable files for ePHI). Provide a fee explanation upon request and obtain any necessary written direction when an individual asks you to send a copy to a designated third party.

Safeguards and Security Measures

Protect cost data using layered Administrative Safeguards, Physical Safeguards, and Technical Safeguards aligned to the HIPAA Security Rule. Map where cost data lives across billing platforms, EHRs, practice management systems, data warehouses, and file shares to apply controls consistently.

Administrative Safeguards

• Conduct and document an enterprise risk analysis; implement and update a risk management plan.
• Enforce role-based access and the minimum necessary standard for payment workflows.
• Execute and manage BAAs; perform vendor due diligence and ongoing oversight.
• Train workforce members initially and periodically; apply a sanctions policy for violations.
• Define incident response, breach assessment, and contingency/disaster recovery plans.
• Maintain data retention and secure disposal schedules for billing and claims records.

Physical Safeguards

• Control facility and workstation access; use clean-desk and screen-privacy practices.
• Secure media and devices; apply inventory, storage, re-use, and destruction procedures.
• Protect print output areas; lock cabinets and enable secure print release.

Technical Safeguards

• Implement unique user IDs, strong authentication, and multi-factor access for systems with ePHI.
• Encrypt ePHI in transit and at rest; segment networks and enforce least-privilege access.
• Enable audit logs, alerts, and regular reviews; deploy data loss prevention where appropriate.
• Harden and patch systems; secure APIs and file transfers; validate files before ingest.
• Use secure backups and tested restorations to protect billing and claims data availability.

Bottom line: when cost data can identify a person and reflects payment for health care, treat it as PHI. Apply the HIPAA Privacy Rule’s minimum necessary standard, the HIPAA Security Rule’s safeguards for ePHI, strong vendor controls, and clear fee policies to stay compliant.

FAQs.

What types of cost data are considered PHI?

Any patient-identifiable amounts related to payment for care—such as itemized bills, claims, remittances, estimates, copays, deductibles, balances, or explanations of benefits—are PHI when they can identify the individual directly or indirectly.

How must covered entities protect cost data under HIPAA?

You must apply the HIPAA Privacy Rule and HIPAA Security Rule, including administrative, physical, and technical safeguards. Use role-based access, encryption for Electronic PHI, vendor BAAs, workforce training, logging and monitoring, and incident response and contingency planning.

Can individuals request their cost data under HIPAA?

Yes. Individuals have a right to access PHI in the designated record set, which includes billing and payment records. You should verify identity, provide the requested format if readily producible (including electronic copies), and respond within the applicable HIPAA time frame, generally within 30 days.

Are there fees associated with accessing PHI cost data?

Yes, but only a reasonable, cost-based fee is allowed. You may charge for copying labor, supplies, and postage, and for a summary if the individual agrees. You may not charge retrieval or verification fees, and per-page fees are generally not permitted for electronic copies.