Understand Two Key HIPAA Terms: Protected Health Information and Covered Entities

Protected Health Information Overview

Protected Health Information (PHI) is individually identifiable health information created, received, used, or maintained by a covered entity or its business associate. It can exist in any medium—paper records, spoken conversations, or electronic files (ePHI)—and is protected by HIPAA compliance requirements.

What PHI Includes

PHI links health details to a person through identifiers such as name, address, birth date, contact data, medical record numbers, or device identifiers. When these identifiers connect to diagnoses, test results, claims, or care notes, the result is Individually Identifiable Health Information subject to PHI disclosure regulations.

Common Contexts

You encounter PHI across scheduling systems, patient portals, billing, and electronic health transactions that move data between providers, health plans, and clearinghouses. Each transfer must follow the minimum necessary standard and safeguard requirements.

Definition of Covered Entities

Covered entities are organizations directly regulated by HIPAA: health plans, healthcare providers that transmit information in standard electronic health transactions, and healthcare clearinghouses. If you operate in one of these categories, HIPAA compliance requirements apply to your uses and disclosures of PHI.

When Others Are Involved

Vendors that handle PHI for a covered entity become business associates and must sign Business Associate Agreements defining permitted uses, safeguards, and breach reporting duties.

Roles of Health Plans

Health plans—insurers, HMOs, employer group health plans, and government programs—collect and use PHI to administer benefits, pay claims, conduct utilization review, and manage quality improvement. They must issue a Notice of Privacy Practices, honor member rights (access, amendments, restrictions), and follow PHI disclosure regulations.

Operational Safeguards

Plans implement administrative, physical, and technical safeguards for ePHI, including risk analyses, workforce training, access controls, and incident response. When plans rely on vendors for enrollment, claims adjudication, or analytics, they execute Business Associate Agreements and ensure subcontractors also comply.

Responsibilities of Healthcare Providers

Healthcare providers—such as physicians, clinics, hospitals, and pharmacies—use PHI for treatment, payment, and health care operations while applying the minimum necessary standard outside of direct treatment. They must provide timely patient access, maintain accurate records, and verify identity before disclosures.

Security and Privacy Practices

Providers implement role-based access, encryption where feasible, audit logs, and secure messaging for electronic health transactions like eligibility checks and claims. Workforce training, breach notification procedures, and regular risk assessments are core HIPAA compliance requirements for providers.

Functions of Healthcare Clearinghouses

Healthcare clearinghouses convert nonstandard health information they receive from another entity into standard transaction formats—or the reverse—to support claims, remittances, and eligibility inquiries. By translating data, they help all parties meet healthcare clearinghouse standards and code set rules.

Why Clearinghouses Matter

Clearinghouses validate and normalize data, reduce errors, and improve interoperability across systems that exchange PHI. They are covered entities in their own right and may also act as business associates when providing services to health plans or providers.

Importance of Business Associates

Business associates are service providers—such as billing firms, EHR vendors, cloud hosts, consultants, or legal counsel—that create, receive, maintain, or transmit PHI on behalf of a covered entity. They must safeguard PHI and limit use to contractually defined purposes.

Business Associate Agreements

Business Associate Agreements require appropriate safeguards, define permitted disclosures, mandate breach reporting, and flow down requirements to subcontractors. Clear BAAs align day-to-day operations with HIPAA compliance requirements and reduce risk across the PHI lifecycle.

Distinctions Between PHI and De-Identified Data

PHI identifies an individual or can reasonably be used to identify one. De-identified data no longer identifies a person and is outside HIPAA when properly processed using recognized data de-identification methods.

Two Accepted Methods

Under the Safe Harbor method, you remove specific identifiers (such as name, full address, contact details, and certain dates) and ensure no actual knowledge of re-identification risk. Under Expert Determination, a qualified expert applies statistical or scientific principles to minimize re-identification risk and documents the analysis.

Practical Implications

Once data is de-identified, you may analyze, share, or publish it without HIPAA constraints, though strong governance is still prudent. For limited data sets—where certain identifiers remain—you must use a data use agreement to control purpose, safeguards, and re-disclosure.

Understanding what counts as PHI, who the covered entities are, and how de-identification reduces risk helps you choose the right controls, contract terms, and workflows to meet HIPAA compliance requirements while enabling responsible data use.

FAQs.

What qualifies as Protected Health Information under HIPAA?

PHI is individually identifiable health information that relates to a person’s health status, provision of care, or payment for care, and includes identifiers like name, address, contact details, medical record numbers, and similar data when linked to health information. It can be in paper, oral, or electronic form.

Who is considered a Covered Entity?

Covered entities are health plans, healthcare providers that transmit data in standard electronic health transactions, and healthcare clearinghouses. These organizations must follow HIPAA compliance requirements for the use, disclosure, and safeguarding of PHI.

How do Healthcare Clearinghouses process health information?

Clearinghouses receive nonstandard health information and convert it into standard formats—or vice versa—to support claims, remittance, eligibility, and related transactions. Their translation and validation services help all parties meet healthcare clearinghouse standards and reduce data errors.

What distinguishes PHI from de-identified data?

PHI can identify an individual, while de-identified data cannot reasonably identify someone after applying data de-identification methods such as Safe Harbor removal of identifiers or Expert Determination. Properly de-identified data is not subject to HIPAA.