Protected Health Information (PHI) Under HIPAA: What Counts and How to Stay Compliant

Protected Health Information (PHI) is the backbone of HIPAA compliance. If you create, receive, maintain, or transmit PHI as a Covered Entity or Business Associate, you must align with the Privacy Rule, Security Rule, and Breach Notification Rule. This guide clarifies what counts as PHI and how to build a practical HIPAA Compliance Program that protects Electronic Protected Health Information (ePHI) end to end.

Defining Protected Health Information

PHI is individually identifiable health information related to a person’s past, present, or future physical or mental health or condition, the provision of health care, or payment for health care. It remains PHI when stored or transmitted in any form—paper, verbal, or electronic (ePHI)—by a Covered Entity or its Business Associates.

Not all health-related data is PHI. De-identified information is not PHI when identifiers are removed under HIPAA’s Safe Harbor method or an expert determines the risk of re-identification is very small. Employment records held by a Covered Entity in its role as employer and student records covered by FERPA are also excluded.

ePHI simply refers to PHI in electronic form. Because most modern workflows are digital, safeguarding ePHI is central to any Security Risk Assessment and ongoing HIPAA Compliance Program.

Identifying Individually Identifiable Information

HIPAA’s “individually identifiable” element is typically met when any of the following identifiers are present with health or payment data:

• Names
• Geographic subdivisions smaller than a state (with limited ZIP code exceptions)
• All elements of dates (except year) directly related to an individual; ages over 89 may be aggregated as 90+
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (for example, fingerprints or voiceprints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

If none of these identifiers are present and re-identification risk is sufficiently low, the data may be considered de-identified and outside HIPAA’s PHI scope.

Implementing Safeguards

Effective safeguards combine administrative, physical, and technical controls so you can enforce minimum necessary use, prevent unauthorized access, and prove diligence.

• Administrative safeguards: policies and procedures, risk management, sanctions, and documented role-based access aligned to the Privacy Rule’s minimum necessary standard.
• Physical safeguards: facility access controls, workstation security, secure media storage, and disposal procedures for devices that store ePHI.
• Technical safeguards: unique user IDs, multi-factor authentication, automatic logoff, audit logs, integrity controls, encryption, and transmission security.

Strengthen daily operations with practical measures: vendor due diligence and Business Associate Agreements, least-privilege access, change management, patching, endpoint protection, mobile device management, data loss prevention, and regular log review.

Conducting Risk Assessments

A Security Risk Assessment is the foundation of the HIPAA Security Rule. It helps you identify where ePHI lives, who touches it, what could go wrong, and how to mitigate those risks proportionately.

• Inventory systems and data flows that create, receive, maintain, or transmit ePHI, including cloud services and Business Associates.
• Identify threats and vulnerabilities (for example, phishing, stolen devices, misconfigurations, unpatched software, insider errors).
• Analyze likelihood and impact, rank risks, and document a remediation plan with owners and deadlines.
• Implement controls, verify effectiveness, and update the assessment periodically and when major changes occur.
• Maintain evidence: reports, decisions (including “addressable” choices), and ongoing monitoring results.

Treat the assessment as a living process that feeds your HIPAA Compliance Program, budget, and roadmap.

Ensuring Encryption of ePHI

Encryption is a powerful control for confidentiality and breach risk reduction. Under the Security Rule, encryption is an “addressable” specification—if reasonable and appropriate, implement it; if not, document why and adopt an equivalent alternative. In practice, modern environments should encrypt by default.

• In transit: use strong transport encryption (for example, TLS for web portals and APIs, secure email options, and VPN or equivalent for remote access).
• At rest: apply full-disk or volume encryption to servers, laptops, and mobile devices; encrypt databases, backups, and removable media that may store ePHI.
• Key management: control and rotate keys, restrict access, separate duties, and monitor for misuse.
• Mobile and remote: require device encryption, screen locks, remote wipe, and containerization for BYOD.

Properly encrypted ePHI may qualify for “safe harbor” under the Breach Notification Rule if a device is lost or stolen, reducing notification obligations when the data is rendered unreadable to unauthorized parties.

Establishing Breach Notification Protocols

Your incident response plan should define how you detect, escalate, investigate, contain, and report suspected breaches of unsecured PHI. Move quickly and document every step.

• Assess incidents using HIPAA’s multi-factor risk assessment: the nature and extent of PHI, the unauthorized person, whether the PHI was actually acquired or viewed, and mitigation actions.
• Notification timelines: provide notice without unreasonable delay and no later than 60 calendar days after discovery.
• Who to notify: affected individuals; the Department of Health and Human Services; and for breaches affecting 500 or more residents of a state or jurisdiction, prominent media outlets.
• Business Associates must notify the Covered Entity without unreasonable delay; contracts should set faster time frames and clear roles.
• Content of notices: what happened, what information was involved, steps individuals should take, what you are doing to mitigate and prevent recurrence, and contact information.

Rehearse your process with tabletop exercises, align legal review early, and preserve logs and forensic artifacts to support analysis and regulatory inquiries.

Providing Workforce Training

People handle PHI every day, so training is one of your strongest controls. Provide onboarding and regular refreshers tailored to roles, and document attendance and comprehension.

• Teach Privacy Rule basics, minimum necessary, permissible uses and disclosures, verifying identity, and how to share PHI for treatment, payment, and health care operations.
• Cover Security Rule essentials: password hygiene, phishing awareness, secure messaging, remote work practices, and incident reporting.
• Explain Breach Notification Rule triggers and internal escalation paths so staff report issues immediately.
• Include vendor handling, Business Associate Agreements, device security, media disposal, and social engineering simulations.
• Measure effectiveness with audits and drills; apply sanctions for policy violations consistently.

When you define PHI correctly, map identifiers, implement layered safeguards, run a recurring Security Risk Assessment, encrypt ePHI, formalize breach response, and train your workforce, you build a durable HIPAA Compliance Program that protects patients and your organization.

FAQs.

What types of information are considered PHI under HIPAA?

PHI includes any individually identifiable health information related to a person’s health, care, or payment that is created, received, maintained, or transmitted by a Covered Entity or Business Associate. It spans paper, verbal, and electronic forms and is identifiable when common identifiers (such as names, contact details, account numbers, or photos) are present with health or billing data.

How can covered entities ensure PHI is protected?

Build a risk-based program: complete a Security Risk Assessment, apply administrative/physical/technical safeguards, enforce least privilege, log and review access, encrypt ePHI in transit and at rest, manage vendors with Business Associate Agreements, train staff regularly, and rehearse incident response and breach notification procedures.

What are the consequences of a PHI breach?

Consequences include mandatory notifications, regulatory investigations, corrective action plans, civil monetary penalties that scale with culpability and extent, contractual impacts with Business Associates, operational disruption, and reputational damage. Strong encryption and rapid containment can reduce risk and obligations.

How does HIPAA define a business associate?

A Business Associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity (or another Business Associate). Examples include cloud providers, billing services, analytics vendors, and IT support. Written Business Associate Agreements are required to set allowable uses and safeguard obligations.