What is HIPAA PHI (Protected Health Information): What do you need to know about PHI & HIPAA?

Updated on June 7, 2021

As a manager or owner of a medical practice, you have to determine if your organization is subject to the Health Insurance Portability and Accountability Act (HIPAA). If it is, your employees have to understand and appreciate the various HIPAA compliance requirements as they relate to the security and privacy of Protected Health Information (PHI). 

You may know that HIPAA is a federal law in the US that was established in 1996. The law outlines the use as well as disclosure of PHI. Did you know that ignorance of HIPAA laws and rules, and the failure to adequately comply with these rules, has resulted in several million-dollar fines and penalties for healthcare firms?

It is no secret that HIPAA compliance is essential. This is especially true since non-compliance penalties and fines can be as high as $250,000, depending on the severity or seriousness of the infraction.

Also, it is worth noting that as more healthcare organizations and companies are turning to efficient electronic methods of storing confidential patient data and ordering treatments, proving HIPAA compliance in today’s digital age has become more critical. 

What is Protected Health Information?

We can define Protected Health Information, also known as PHI, as any personal health information, such as a patient’s Social Security number, that may potentially identify an individual. Note that the information is usually created, disclosed, or used in the ordinary course of providing various healthcare services. 

So, we can say that PHI is personally identifiable and sensitive information in medical or patient records, including conversations between nurses and doctors about treatment. Also, note that PHI includes billing information. 

Note that PHI can include the following:

  • The present, past, or future physical health condition of a person 
  • Healthcare or medical services provided to an individual

In most cases, you will find PHI in various documents, medical forms, and communications like prescriptions, clinic or doctor appointments, MRI and X-Ray results, and billing information.

What is ePHI?

We can define ePHI as Electronic Protected Health Information. It includes all individually identifiable healthcare information that’s created, transmitted, or maintained electronically by eHealth and mHealth products. Did you know that ePHI includes PHI on the web, desktop, mobile, wearable devices, and other technology like email and text messages?

What Information is PHI?

PHI is any healthcare information that we can use to identify an individual. This is true even if the link seems to be tenuous. It is worth noting that HIPAA has specified 18 identifiers for PHI. Note that if a medical record contains any one of these 18 identifiers, it’s deemed to be PHI. 

Some of these identifiers are:

  • Full names or last names 
  • Telephone numbers, including area codes
  • Fax numbers and email addresses
  • Geographical identifiers that are smaller than a state
  • Social Security numbers
  • Medical record numbers

What is not PHI?

Usually, PHI doesn’t include information that your organization creates or maintains for employment records, like employee health records. 

Similarly, keep in mind that health data that you don’t share with a covered entity or data that cannot be used to identify a person does not qualify as PHI. This includes blood sugar readings and a temperature scan. 

HIPAA Compliance Requirements – Which Entities Must Comply?

You should know that HIPAA covers many entities, such as the healthcare providers that offer treatment and payment processors in the healthcare industry. And that is not all; it also encompasses all associates and partners with access to confidential patient information that supports these organizations in the discharge or rendering of these services. 

So, covered entities, as well as business associates, have to comply with HIPAA Rules. 

Covered Entities

A covered entity is any organization that creates, collects, or transmits PHI. Remember that healthcare organizations in the US that are deemed covered entities include: 

  • Various covered healthcare providers like chiropractors, dentists, clinics, and doctors.
  • Health plans like health insurance companies, and health maintenance organizations (HMOs).
  • Health care clearinghouses like billing services 

Here are five reasons you should start using billing services today.

Business Associates

Note that business associates include organizations and people who encounter PHI, such as payment information, in any way to perform tasks or render services on behalf of any covered entity.

Some examples of services include:

  • Billing and accreditation
  • Data analysis
  • Consulting
  • Financial services

You can focus on more critical and pressing issues at your organization by outsourcing medical billing and accreditation to a reliable company, such as UControlBilling

COVID-19 and HIPAA Compliance 

There is no doubt that the world is considerably different because of the pandemic. Also, healthcare will change the most, especially over the next couple of years. This is why maintaining privacy compliance is more challenging and complex than in the past. 

Did you know that many factors can increase the risk of inappropriate use or disclosure of private health information? Some of them include:

Telehealth Visits

You may know that there has been an increase in the number of healthcare provider visits completed over the web. Most patients are now staying home and seeing their physician or doctor virtually unless in-person visits are absolutely necessary. 

Keep in mind that data protection and security over the Internet is difficult to maintain if you overlook or ignore proper precautions.

Multiple Care Providers

While patients usually see multiple doctors, note that increased testing, as well as varied result times, can make things complicated from a security and privacy standpoint. Note that primary care physicians now receive updates from several testing labs, hospitals, or patients. This means that data is moving in and out at a considerably faster pace.

Meeting HIPAA Compliance Requirements

If you are a covered entity, your organization and your business associates must take the following steps to comply with HIPAA requirements and rules.

Determine the Overall Scope of HIPAA in Your Health Organization

When determining and understanding whether the HIPAA rule is applicable to your organization, you have to decide whether or not you use, transmit, or store PHI in your organization’s environment. Note that if your organization handles PHI, the HIPAA rule will likely apply to you. 

Review Your Procedures and Policies

Your organization must also develop and implement adequate policies and procedures that best reflect the various regulatory standards in the HIPAA Rules. The administrative requirements of HIPAA specify that all covered entities, such as payment processors, must have documented policies and procedures.

You should also review and update policies and procedures in order to account for any changes made by the OCR, ensuring that your external stakeholders, as well as patients, are aware of all these changes.

You should also write down all the steps you plan to take in order to ensure that PHI is protected both on-site and online. Often this means documenting the personnel who have access to sensitive data, the kind of software security used, as well as what happens when a security breach is detected. 


There is no doubt that the most crucial aspect of HIPAA compliance requirements is documentation. You have to maintain documentation, such as organizational workflow charts, facility blueprints, password policies, and training logs. 

You can use a software program to efficiently maintain all the required documents and reduce the hassle and complications of finding these essential documents and records at the last minute before an audit.

Employee Training

Did you know that all employees have to go through HIPAA training? While it’s likely that you will update security procedures and policies regularly, your employees must be adequately trained on the latest standards

In addition to mandatory annual HIPAA training, note that conducting training frequently is vital as it helps your employees sharpen their understanding and knowledge of the HIPAA law, lowering the risk of inadvertently violating or breaching the standards. 

Perform Risk Assessments and Internal Audits 

To assess technical, administrative, and physical gaps with respect to HIPAA Privacy and Security standards, covered entities and their business associates should conduct risk assessments and internal audits regularly.

Your organization can use a software program to perform these tasks regularly in just a matter of a few clicks. Note that the main objective of this exercise is to timely identify any potential threats to the security and integrity of PHI and then resolve the issues as early as possible.

Final Thoughts 

When it comes to reliable patient care, protecting patient privacy and information, including information that may reveal an individual’s identity, their medical or payment history, is very important.

Note that the general idea or basic premise may seem quite simple; you should treat patient health information, such as Social Security numbers, as you want yours treated, and do not disclose it to people who don’t need to know. 

However, keep in mind that it requires creating robust policies and procedures, providing employee training, and conducting regular audits and risk analyses. 

HIPAA standards and requirements are evolving in an attempt to keep up with the latest technology and industry trends. And for peace of mind, you can consider a HIPAA compliant practice management and EHR service in order to house and protect all your sensitive medical information.

+ posts

Throughout the year, our writers feature fresh, in-depth, and relevant information for our audience of 40,000+ healthcare leaders and professionals. As a healthcare business publication, we cover and cherish our relationship with the entire health care industry including administrators, nurses, physicians, physical therapists, pharmacists, and more. We cover a broad spectrum from hospitals to medical offices to outpatient services to eye surgery centers to university settings. We focus on rehabilitation, nursing homes, home care, hospice as well as men’s health, women’s heath, and pediatrics.