Two Common HIPAA Privacy Rule Terms Explained: PHI and Uses and Disclosures

Definition of Protected Health Information

What HIPAA means by PHI

Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by Covered Entities or their business associates. It relates to an individual’s past, present, or future health status, the provision of health care, or payment for care, and it can identify the person or reasonably be used to do so.

PHI exists in any form or medium—including Electronic Protected Health Information (ePHI) stored in systems, transmitted over networks, or shared via mobile devices. Health Information Privacy under HIPAA hinges on whether a regulated entity handles the data; the same facts outside the HIPAA context may not be PHI.

What is not PHI

• De-identified information (where identifiers are removed or expert-determined as very low re-identification risk).
• Employment records a company keeps in its role as employer.
• Education records covered by FERPA and certain student treatment records.

Scope of PHI Identifiers

Common identifiers that trigger PHI status

PHI becomes identifiable when it includes one or more personal identifiers. Examples include:

• Names; geographic data smaller than a state; all elements of dates (except year) related to an individual.
• Telephone numbers, email addresses, Social Security numbers, medical record and account numbers.
• Certificate/license numbers; vehicle and device identifiers; web URLs and IP addresses.
• Biometric identifiers (finger/voice prints); full-face photos; any other unique code or characteristic.

Special notes on dates and age

Dates like birth date, admission/discharge, or death date are identifiers. Ages over 89 are combined into a single category (age 90 or older) to reduce re-identification risk when using the Safe Harbor de-identification method.

Understanding Uses of PHI

“Use” means internal handling

In HIPAA, a “use” of PHI occurs inside your organization. Accessing charts for treatment, running billing processes, quality improvement, internal analytics, and training are examples of uses. The Minimum Necessary Standard generally applies, so workforce members access only the PHI needed for their roles.

Operational examples

• Treatment: clinicians reviewing histories, medications, or labs to deliver care.
• Payment: coding, claims submission, eligibility inquiries, and utilization review.
• Health care operations: quality assessment, auditing, credentialing, or business planning.

Understanding Disclosures of PHI

“Disclosure” means sharing outside your entity

A “disclosure” is the release, transfer, provision of access to, or divulging of PHI to a person or entity outside your organization. This includes sharing with the individual, other providers, payers, public health authorities, or business associates.

Examples of disclosures

• Sending records to another provider for continuity of care.
• Providing claim documentation to a health plan.
• Submitting reportable conditions to public health authorities.
• Sharing PHI with a vendor performing services under a Business Associate Agreement.

Permitted Uses and Disclosures without Authorization

Treatment, payment, and health care operations (TPO)

You may use or disclose PHI for TPO without written permission when it is necessary to deliver care, get paid, or run operations. You may also disclose PHI to the individual and make certain incidental disclosures that occur as a byproduct of an otherwise permitted activity.

National Priority Purposes

HIPAA allows uses and disclosures for specific public interest and benefit activities—often called National Priority Purposes—without individual authorization, subject to conditions:

• Required by law; public health activities; reporting abuse, neglect, or domestic violence.
• Health oversight; judicial and administrative proceedings; law enforcement purposes.
• Decedents (coroners/medical examiners/funeral directors); organ, eye, or tissue donation.
• Research under an IRB/Privacy Board waiver or as a limited data set; activities to avert a serious threat.
• Specialized government functions (e.g., military, national security); workers’ compensation.

Authorization Requirements

Any use or disclosure not otherwise permitted must meet Authorization Requirements: a valid, written authorization that specifies what PHI may be shared, with whom, for what purpose, and its expiration. Individuals may revoke authorizations in writing, and you must keep documentation.

Minimizing PHI Use and Disclosure

Applying the Minimum Necessary Standard

Adopt role-based access, need-to-know workflows, and targeted data fields so only the minimum necessary PHI is used or disclosed. The standard does not apply to treatment, disclosures to the individual, uses/disclosures under a valid authorization, disclosures to HHS for compliance review, or uses/disclosures required by law.

Techniques to reduce risk

• De-identify data (expert determination or Safe Harbor) whenever feasible.
• Use a limited data set with a data use agreement for research, public health, or operations.
• Segment especially sensitive data when possible and audit access routinely.
• Safeguard ePHI with strong authentication, encryption in transit and at rest, and prompt patching.

Compliance Requirements under HIPAA Privacy Rule

Who must comply

Covered Entities—health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses—and their business associates carry HIPAA Compliance Obligations. Contracts must define permitted uses/disclosures and require safeguards and breach reporting.

Core Privacy Rule duties

• Designate a privacy official; maintain policies, procedures, and sanction processes.
• Train the workforce; apply the Minimum Necessary Standard; manage authorizations.
• Provide a Notice of Privacy Practices and honor individual rights (access, amendments, accounting of disclosures, requests for restrictions and confidential communications).
• Mitigate known violations and investigate incidents; document decisions and retain records.

Interplay with the Security Rule

Because PHI is frequently electronic, the Security Rule requires administrative, physical, and technical safeguards for ePHI. Strong access controls, activity logs, contingency plans, and vendor oversight help operationalize Health Information Privacy across your environment.

Conclusion

By distinguishing PHI, uses, and disclosures—and by aligning daily workflows to the Minimum Necessary Standard and Authorization Requirements—you protect individuals and meet your HIPAA Compliance Obligations. Treat exceptions as narrow, document your rationale, and continuously improve safeguards for both PHI and ePHI.

FAQs.

What qualifies as Protected Health Information under HIPAA?

PHI is individually identifiable health information held or transmitted by a Covered Entity or business associate that relates to health status, care provided, or payment for care. If the information identifies someone (or could reasonably do so) and is handled by a regulated entity, it is PHI, whether on paper, verbal, or electronic.

How do uses differ from disclosures in the HIPAA Privacy Rule?

A use is internal handling of PHI within your organization; a disclosure is sharing PHI with someone outside your organization, including the patient, another provider, a payer, or a public authority. The distinction helps determine which rules, safeguards, and documentation apply.

When can PHI be used or disclosed without individual authorization?

HIPAA permits PHI for treatment, payment, and health care operations; to the individual; for certain incidental disclosures; and for National Priority Purposes such as public health, oversight, law enforcement, research under a waiver, and workers’ compensation, among others—each with specific conditions.

What are the minimum necessary requirements for PHI use and disclosure?

Except for defined exceptions (e.g., treatment, disclosures to the individual, valid authorizations, required-by-law disclosures, and HHS reviews), you must limit PHI to the minimum necessary to accomplish the purpose. Implement role-based access, tailored requests, and data minimization to meet this standard.