PHI stands for protected health information, which is individually identifiable health information held or transmitted by a HIPAA Covered Entity or its Business Associate in any form or medium, including electronic, paper, and oral communications, and it is regulated under the HIPAA Privacy Rule with related safeguards under the HIPAA Security Rule and HIPAA Breach Notification Rule.
Protected health information includes information that relates to an individual’s past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare, when the information identifies the individual or can reasonably be used to identify the individual. Identifiers can be direct, such as name or Social Security number, or indirect, such as combinations of demographic details, dates, locations, device identifiers, or other data elements that can link the information to a specific person. PHI can exist in clinical records, billing records, appointment systems, lab results, imaging reports, referral documentation, call recordings, and messages exchanged for care or payment activities.
PHI is not limited to medical charts and is not limited to a specific technology. A spoken discussion about a patient in a public area can involve PHI. A faxed referral can contain PHI. An email attachment with a patient name and diagnosis can contain PHI. Workforce members and students should treat any identifiable patient-related information as PHI unless the organization has a documented basis to treat it as de-identified information under the HIPAA Privacy Rule.
Information is not PHI when it is not held or transmitted by a HIPAA Covered Entity or Business Associate, or when it has been properly de-identified under an accepted HIPAA Privacy Rule method. Employment records maintained by an employer in its role as employer are not PHI even when the employer is a HIPAA Covered Entity. Compliance programs should define how staff identify PHI, apply the HIPAA Minimum Necessary Rule to access and disclosure, and follow security controls for electronic protected health information.