What is Protected Health Information (PHI)?
What is Protected Health Information (PHI)?
Protected Health Information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA covered entity or its business associates. PHI is the central concept in HIPAA regulations — the entire framework exists to protect this category of information.
What qualifies as PHI
For information to be classified as PHI, it must meet two criteria:
- It relates to health — the information concerns an individual's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare
- It is individually identifiable — the information can be linked to a specific individual through one or more of 18 identifiers defined by HIPAA
The 18 HIPAA identifiers
HIPAA defines 18 types of identifiers that, when combined with health information, create PHI:
- Names
- Geographic data smaller than a state
- Dates (except year) related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers
- Full-face photographs
- Any other unique identifying number or code
If health information is stripped of all 18 identifiers following the HIPAA Safe Harbor method, it becomes de-identified data and is no longer subject to HIPAA protections.
Electronic PHI (ePHI)
Electronic Protected Health Information (ePHI) is PHI that is created, stored, transmitted, or received in electronic form. The HIPAA Security Rule specifically addresses safeguards for ePHI, requiring administrative, physical, and technical controls to protect its confidentiality, integrity, and availability.
ePHI includes data in electronic health records, emails containing patient information, digital images, and any other electronic format.
PHI vs PII
PHI and personally identifiable information (PII) overlap but are not identical:
- PII is any information that can identify an individual, regulated by various federal and state laws
- PHI is specifically health-related PII regulated under HIPAA
A person's name alone is PII but not PHI. A person's name combined with a diagnosis or treatment record is PHI.
Protecting PHI
HIPAA requires covered entities and business associates to implement safeguards to protect PHI:
- Administrative safeguards — risk assessments, workforce training, access management policies, incident response procedures
- Physical safeguards — facility access controls, workstation security, device and media controls
- Technical safeguards — access controls, audit controls, integrity controls, transmission security (encryption)
The Minimum Necessary Rule further requires that access to PHI be limited to the minimum amount needed for a specific purpose.
Penalties for PHI violations
HIPAA violations involving PHI can result in significant penalties:
- Fines ranging from $100 to $50,000 per violation, up to $1.5 million per year per violation category
- Criminal penalties including imprisonment for knowing violations
- Mandatory breach notification to affected individuals, HHS, and potentially media outlets
How episki helps
episki helps organizations identify where PHI exists in their systems, implement required safeguards, and maintain documentation demonstrating HIPAA compliance. The platform tracks access controls, risk assessments, and business associate agreements to ensure comprehensive PHI protection. Learn more on our HIPAA compliance page.
