The difference between primary and secondary use of PHI

Protected health information (PHI) is any identifiable health data, like medical records, test results, or billing details, that relates to a person’s health, care, or payment for care. 

PHI created, received, stored, or transmitted by a covered entity (like a doctor, hospital, or health plan) or their business associate must be safeguarded under HIPAA law.

Primary vs. secondary use of PHI

The distinction between primary and secondary use of PHI defines how and why data are shared, and determines the level of trust patients place in healthcare systems.

In 2024, eClinicalMedicine published a systematic review on health data sharing attitudes towards primary and secondary use of data across 228,501 participants. The authors found, “Sharing intentions for primary purposes were observed to be high regardless of data type, and it was higher than sharing intentions for secondary purposes.” 

That difference reveals public concern over data use and why we need secure, transparent systems that protect PHI.

Understanding the primary use of PHI

Primary use refers to the handling of health information for direct patient care. It covers diagnosis, treatment, medication management, and care coordination between professionals directly involved in a patient’s health journey. 

The systematic review defines it as “use typically performed by the entities that produce or collect these data while providing real-time, direct care to healthcare consumers.”

Every time a clinician documents symptoms, reviews lab results, or updates a patient’s electronic health record (EHR), PHI is being used in its primary sense. The information flow gives healthcare providers accurate, up-to-date insights to make safe clinical decisions.

For example, when a patient’s cardiologist reviews EKG results from their primary care provider or consults lab results through a shared portal, that’s a primary use of PHI. The purpose is immediate and therapeutic, directly influencing care outcomes.

The expanding reach of secondary use

Secondary use describes how PHI is used for research, policy, public health, or technological development. As the eClinicalMedicine review notes, “Secondary use of data refers to non-direct care use of health information, such as analysis, research, quality/safety measurement, public health, payment, provider certification or accreditation, education/teaching services.”

These uses often occur at a larger scale. For example, researchers might analyze thousands of anonymized records to identify risk factors for stroke, or policymakers may use aggregated PHI to plan national vaccination programs. Additionally, pharmaceutical companies could use de-identified data to track medication safety.

Secondary use has been integral to medical progress over the last two decades, experiencing “an expansion for both clinical and public health research, publishing national statistics, education, developing algorithms, and others.”

Why secondary use matters

The potential benefits of secondary PHI use can accelerate medical breakthroughs, support evidence-based policies, and reduce redundancies in research. More specifically, “sharing health data can lead to improved data transparency, better research reproducibility, and increased cost-effectiveness as a result of minimizing the repetition of research work.”

For instance, the United Kingdom’s National Health Service (NHS) saw tangible improvements after strengthening its data-sharing systems between primary and secondary care. “During the period between 2015 and 2019, the NHS evidenced a rapid evolution of interoperable technology that allowed data to easily be shared between primary and secondary care practitioners,” the review notes. 

This led to “a reduction in the number of patients breaching an Accident & Emergency 4-hour decision time threshold and an improved experience for patients.”

The example shows how responsible secondary use can improve efficiency and patient outcomes. At the same time, it shows why trust and security must improve with technology.

Public concerns around data sharing

According to the review, “concerns related to data sharing that were found to be mutual for all data types included privacy, security, and data access/control.”

Attitudes change depending on how PHI is used and who receives it. The abovementioned study noted that people are more likely to share their information when it supports public or academic goals, but become cautious when private or commercial entities are involved. “People tend to change their attitude towards data use depending on whether they consider the secondary research ‘acceptable’ (e.g., health service) and ‘unacceptable’ (e.g., commercial) research.”

These perceptions are consistent with a growing public expectation of accountability. Patients want assurances that their PHI won’t be monetized, misused, or exposed. Moreover, they want visibility in knowing where their data goes and how they are protected.

Consent and anonymization

HIPAA and global data protection regulations like the GDPR address many of these concerns through strict consent and de-identification requirements. The eClinicalMedicine authors point out that willingness to share PHI “largely depends on the level of anonymity of health data, which can be either anonymous, de-identified, reversibly anonymous, or identifiable.” They found that “people express higher support for sharing their health data with higher levels of privacy.”

These findings show that patients want secure, transparent systems that allow them to control their information without impeding scientific progress. 

When primary and secondary uses overlap

In practice, primary and secondary uses often intersect. For example, a hospital may collect data to improve patient care (primary use) while simultaneously analyzing trends to refine internal safety protocols (secondary use).

The research study also shows that advances in interoperability (where systems across departments and facilities communicate seamlessly) can improve patient outcomes. Specifically, the review notes, “Primary to secondary care data-sharing capabilities were associated with a reduction in the number of patients breaching decision time thresholds.”

However, without proper encryption or compliance controls, the same interoperability can introduce risk. A single misrouted email or unsecured data exchange could compromise thousands of patient records. That’s why healthcare providers must use HIPAA compliant communication tools. These protect data flowing between care teams and researchers, whether it’s being used primarily, secondarily, or somewhere in between.

HIPAA compliant email platforms, like Paubox, allow exactly that, so healthcare providers can communicate and transmit necessary PHI without risking unauthorized disclosure.

Technology is driving secondary use

Advancements like artificial intelligence (AI) and digital twins rely heavily on PHI reuse. A “digital twin” is a simulated model of a patient or organ that helps clinicians predict treatment outcomes. The researchers describe it as “a digital model or replication of physical entities—for example, it can be a virtual replica of human organs, tissues, cells that is used for predicting corresponding future scenarios.”

These innovations can improve personalized medicine, allowing simulations that anticipate how a patient might respond to surgery or drug therapy. However, they also require strong privacy standards. As the authors note, “the synergy between artificial intelligence and big data is continuously leveraging novel algorithms that are used in disease prediction, diagnosis, or in predicting therapeutic outcomes.”

Without secure communication channels, even well-intentioned projects could expose sensitive health details. HIPAA compliant email platforms provide a safeguard, so PHI shared for AI training or algorithm validation stays encrypted and auditable.

The ethics of sharing

The eClinicalMedicine study traces the rise of what organizations such as the Wellcome Trust and the U.S. Institute of Medicine have described as an “ethical obligation to share” health data for the public good. However, the researchers emphasize, ethical sharing must align with “the interests of the public (donors of health data)” and maintain “public support.”

That balance requires compliance and communication. Patients are more likely to consent to secondary use when they understand how their data will contribute to better health outcomes. So, instead of using generic consent forms, providers must use a HIPAA compliant consent form to build patient trust.

Healthcare providers can also send privacy notices, research participation information, or updates about data protection measures securely, so patients stay informed and confident that their PHI is being handled responsibly.

What the evidence shows

Across 116 studies analyzed, the review found overwhelming support for sharing PHI for primary care and showed cautious optimism toward certain secondary uses, especially non-commercial research. 

As the authors summarize, “People are more open to [sharing] their data for the means of receiving care. Although a great number of studies concluded high support for some secondary uses (such as for non-commercial research), the attitude varies greatly depending on the type of data recipient.”

Trust hinges less on the data itself and more on who holds it. Hospitals, universities, and public health agencies tend to be seen as trustworthy stewards, while private firms elicit skepticism. Consequently, transparent communication and robust compliance frameworks prevent even the appearance of misuse.

Rebuilding trust through secure communication

All healthcare organizations handle PHI through a variety of primary and secondary uses. What differentiates ethical, trustworthy systems from those that are concerning is the way they uphold security and transparency.

HIPAA compliant email enables providers, researchers, and public health employees to exchange PHI without breaching privacy. In contrast to normal email, which exposes data to forwarding or interception, Paubox Email Suite encrypts every message automatically and delivers it right to the recipient's inbox without portals or passwords.

That level of simplicity and security can reinstate patient trust in the sharing of data. If patients know their data is kept safe between treatment groups or researchers, they'll be more inclined to consent to secondary use that drives innovation.

Go deeper: How HIPAA compliance improves patient trust

Why secure sharing defines modern care

The conversation about primary and secondary PHI use is ethical, social, and deeply human. When that information fuels discoveries that benefit others, it carries enormous potential and responsibility.

The study adds, “Sharing health data is a complex issue that is influenced by various factors (the type of health data, the intended use, the data recipient, among others).” Their findings suggest, “Overcoming barriers, addressing concerns, and spreading awareness about data sharing practices may lead to a more active data-sharing society.”

In other words, patients will share when they trust the system. Here, the trust comes from secure communication, transparent consent, and adherence to privacy standards like HIPAA.

FAQs

What qualifies as PHI under HIPAA?

Under HIPAA, protected health information (PHI) includes any information that can identify an individual and relates to their health, treatment, or payment for care. It includes names, addresses, birth dates, Social Security and medical record numbers, insurance information, and any clinical data linked to those identifiers.

Who is responsible for protecting PHI?

HIPAA places the duty of protecting PHI on covered entities, like hospitals, clinics, doctors, and health plans, and their business associates, such as billing companies, cloud service providers, and HIPAA compliant email platforms. Both parties must implement administrative, technical, and physical safeguards to prevent unauthorized access or disclosure.

What is not considered PHI?

Information is not considered PHI once it has been de-identified, meaning all 18 HIPAA-defined identifiers are removed and there’s no reasonable way to trace the data back to an individual. De-identified data can typically be used for research, analytics, and public health reporting without patient consent.