Is PHI a Type of CUI? When Protected Health Information Counts as Controlled Unclassified Information

Short answer: sometimes. Protected Health Information (PHI) becomes Controlled Unclassified Information (CUI) when it is created for, collected by, or handled on behalf of a U.S. federal agency and a law, regulation, or government‑wide policy requires safeguarding or limits its dissemination. This guide clarifies where PHI and CUI overlap, when they do not, and what you must do to stay compliant under 32 CFR Part 2002 and NIST SP 800-171.

Definition of PHI

PHI is individually identifiable health information related to a person’s past, present, or future health status, healthcare provision, or payment for care. It includes common identifiers (for example, name, address, MRN) when they can reasonably identify the individual, and it exists in any medium—paper, verbal, or electronic (ePHI).

Key characteristics of PHI

• Identifies or can be used to identify an individual and relates to health, care, or payment.
• Created or received by a covered entity or its business associate under HIPAA.
• Exists in any form or medium; ePHI carries the same obligations as paper PHI.
• Requires administrative safeguards, physical safeguards, and technical safeguards to protect confidentiality, integrity, and availability.
• Excludes fully de‑identified data that meets HIPAA de‑identification standards.

In short, PHI is the cornerstone of healthcare data protection and drives your baseline privacy and security obligations in the healthcare ecosystem.

Definition of CUI

CUI—Controlled Unclassified Information—is unclassified information that a law, regulation, or government‑wide policy requires you to safeguard or control in dissemination. The CUI Program is established by Executive Order 13556 and implemented in 32 CFR Part 2002 to create uniform, federal information safeguarding rules across agencies.

What CUI is—and is not

• Not classified national security information, but still sensitive and restricted.
• Subject to standardized marking, access, handling, and decontrol requirements.
• Governs how executive‑branch agencies and their partners protect designated categories (for example, privacy, law enforcement, critical infrastructure).

Basic vs. Specified CUI

• CUI Basic: Controlled by general program rules when no specific handling requirements exist beyond the CUI framework.
• CUI Specified: A statute, regulation, or policy prescribes additional, explicit handling or dissemination controls. PHI associated with HIPAA requirements is often treated as CUI Specified.

You may see the phrase “unclassified controlled information” used informally, but the official term is Controlled Unclassified Information (CUI).

PHI as CUI

PHI counts as CUI when it has a federal nexus and is subject to a law, regulation, or government‑wide policy that mandates protection or restricts dissemination. In practice, this occurs when you handle PHI as part of a federal program, contract, grant, cooperative agreement, or interagency exchange.

When PHI qualifies as CUI

• The PHI is created by, collected by, or maintained for a federal agency (for example, VA, DoD, HHS/CMS, IHS), and must be safeguarded under applicable authorities.
• Your contract, grant, or agreement designates the data as CUI and incorporates CUI handling clauses referencing 32 CFR Part 2002.
• Agency policy or the CUI Registry category requires specific controls for PHI, making it CUI Specified.

Outside a federal context, PHI remains protected by HIPAA but is not CUI. The CUI designation attaches because of the federal role and the controlling authority—not merely because information is sensitive.

Examples of PHI as CUI

• Veterans Health Administration medical records processed by a contractor for scheduling, imaging, or claims adjudication.
• TRICARE beneficiary claims and encounter data hosted by a managed service provider under a DoD task order.
• Medicare or Medicaid claims extracts provided to a contractor as part of a CMS integrity, audit, or analytics program.
• Research participant records gathered under a federal contract or cooperative agreement where the agency is the data steward.
• Public health surveillance data reported to a federal agency that includes identifiable patient details subject to limiting policies.
• PHI transferred from a federal system of records to a state, tribal, or local partner under an agreement that requires CUI controls.

Across these scenarios, the CUI label signals uniform federal information safeguarding and dissemination control obligations in addition to HIPAA duties.

PHI Not Considered CUI

• PHI used solely within a private healthcare provider, health plan, or clearinghouse with no federal contract, grant, or agency stewardship.
• PHI handled by a vendor that serves only commercial clients and is not processing data for or on behalf of a federal agency.
• Fully de‑identified datasets (for example, HIPAA safe harbor or expert determination) because they are no longer PHI.
• Aggregate reports that cannot identify individuals and are not designated or received as CUI by an agency.

In these cases, HIPAA still applies as relevant, but the CUI framework does not—because there is no federal authority designating the information as CUI.

Handling Requirements for PHI as CUI

When PHI is also CUI, you must meet HIPAA’s safeguards and the CUI Program’s rules, plus any agency‑specific clauses. For nonfederal systems (for example, contractors and grantees), NIST SP 800-171 provides the baseline control set for protecting CUI.

Plan and document

• Develop and maintain a System Security Plan (SSP) that maps environments handling PHI as CUI to NIST SP 800-171 controls.
• Track gaps with a Plan of Action & Milestones (POA&M) and document data flows, system boundaries, and inheritance of controls.

Access control and authentication

• Enforce least privilege and role‑based access; review entitlements routinely.
• Require multifactor authentication for privileged and remote access.
• Isolate CUI environments from corporate networks and implement strong session management.

Protect data in transit and at rest

• Encrypt PHI designated as CUI at rest and in transit using FIPS‑validated cryptographic modules.
• Use secure protocols (for example, TLS) and manage keys with restricted, audited access.

Marking, dissemination, and records management

• Apply required CUI markings, including category indicators for PHI where specified.
• Limit sharing to authorized recipients with a need‑to‑know; honor dissemination controls.
• Retain, archive, and decontrol or dispose of CUI in accordance with agency guidance and contract terms.

Monitoring, logging, and incident response

• Log access and administrative actions; protect, review, and retain audit records.
• Establish incident detection and response processes that satisfy both HIPAA breach notification and any agency‑imposed reporting timelines.

Vendor and subcontractor oversight

• Flow down CUI clauses and HIPAA requirements to all subs that touch PHI as CUI.
• Assess and monitor third‑party compliance; restrict portable media and unmanaged devices.

Training and operational safeguards

• Provide workforce training on HIPAA and CUI handling, markings, and dissemination limits.
• Document administrative safeguards, physical protections, and sanctions for violations.

Conclusion

PHI becomes CUI when a federal authority designates or requires extra protection for it. In those cases, you must pair HIPAA’s privacy and security rules with the CUI framework in 32 CFR Part 2002 and implement NIST SP 800-171 controls for nonfederal systems. Doing so strengthens healthcare data protection and demonstrates federal contractor compliance.

FAQs

When does PHI qualify as CUI?

PHI qualifies as CUI when it is created for, collected by, or maintained on behalf of a federal agency and a law, regulation, policy, or agreement requires safeguarding or restricts dissemination. Typical triggers include federal contracts, grants, cooperative agreements, or intergovernmental data‑sharing arrangements that designate the data as CUI.

What regulations govern the handling of PHI as CUI?

Handling is governed by the CUI Program in 32 CFR Part 2002, your agency’s CUI policies and contract clauses, and HIPAA privacy and security requirements. For nonfederal systems that store or transmit the data, NIST SP 800-171 defines the security controls you must implement.

How is PHI protected differently when it is considered CUI?

Beyond HIPAA safeguards, CUI status adds federal information safeguarding measures: mandatory CUI markings, stricter dissemination limits, documented SSP/POA&M, NIST SP 800-171 control implementation, and agency‑specific reporting and oversight. In short, you apply HIPAA plus the uniform CUI framework.

What are examples of PHI not classified as CUI?

Examples include PHI used only within a private provider or commercial health plan with no federal nexus; vendor‑hosted PHI for purely commercial clients; fully de‑identified datasets; and aggregate reports that do not identify individuals and are not designated as CUI by an agency.