What is protected health information (PHI)?

Featured image

Share this article

paubox hipaa

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule uses protected health information (PHI) to define the type of patient information that’s protected by law. PHI is an important factor for HIPAA compliance. But what is PHI?

PHI isn’t just confined to medical records and test results. In fact, any information that can identify a patient and is used or disclosed during the course of care is considered PHI. Even if the information by itself doesn’t reveal a patient’s medical history, it is still considered PHI.

Understanding what is considered PHI under HIPAA is important for all providers in order to avoid violations that can result in big fines.

What is considered PHI under HIPAA Privacy Rule

As we previously mentioned, PHI isn’t just related to medical records or individually identifiable health markers, but can be anything that can identify a patient and is used during the course of his or her care, even just the patient’s name.

PHI can include common identifiable information such as:

  • Name
  • Phone number
  • Email address
  • Street address
  • Address number
  • Zip code
  • Birthdate
  • Social security number
  • Fax numbers
  • License numbers
  • Vehicle identifiers, such as license plate numbers
  • Serial numbers
  • Demographic information
  • Education records
  • Employment records
  • Full face photographic images

There are also other more obvious types of identifiable health information used during the course of a health care service such as:

  • Medical record number
  • Unique identifying number
  • An invoice with billing information
  • An appointment reminder
  • Blood test results
  • Prescription information
  • Beneficiary numbers
  • Health insurance
  • Mental health
  • Health records
  • Health status
  • Oral communications
  • Payment history
  • Account number
  • Family members
  • Discharge date
  • Admission date
  • Biometric identifiers
  • Device identifiers

Any information that can reasonably be used to identify an individual and is used during the course of care is considered PHI.

Examples of data that is NOT considered protected health information

However, not all data and information that is recorded is considered PHI.  Remember the two conditions to consider:

  • Data needs to be personally identifiable to the patient
  • Data must be used by or disclosed to a covered entity during the course of care

This is especially important to remember for healthcare organizations (such as the U.S. Department of Health and Human Services), researchers and vendors who collect data for reports, studies and applications.

For these purposes, data can be de-identified so it can’t be used to identify a patient. HHS even provides guidance on how to de-indentify patient data online. This process occurs everyday for clinical trials and in the growing consumer health industry.

In fact, a lot of consumer apps don’t even need to be HIPAA compliant because they do not transmit data to a covered entity for patient care.

How to protect PHI

Under the HIPAA Privacy Act, PHI needs to be protected in all mediums: electronic, paper, and oral. (A common acronym, ePHI, stands for “electronic protected health information.”)

Covered entities (such as doctor’s offices, hospitals, health plans and health care clearinghouses) are all trying to utilize technology to streamline their processes and improve public health and patient care. This makes electronic PHI (ePHI) even more vulnerable to cyberattacks such as the recent rise of ransomware.

The HIPAA Security Rule establishes national standards to protect individuals’ ePHI that is created and used by covered entities. This includes setting requirements for physical, technical and administrative protections.

While covered entities need to insure physical and administrative safeguards, Paubox makes sure technical safeguards are in place for providers when they communicate electronically. Paubox makes HIPAA compliant email easy for everyone to use and doesn’t require extra steps for the sender or recipient.

Paubox Suite allows patients and medical professionals to exchange PHI securely while using their existing work email accounts. Paubox allows senders to compose and send emails as they normally would and yet enjoy HIPAA compliant encryption. No extra clicks, keywords to type, or portals to login to.

The experience is just as seamless for recipients who don’t have to download software, create an account, or use a portal to view encrypted email or attachments.

Paubox also offers the Paubox Email API, which allows healthcare providers, IT consultants and developers to integrate our seamless and secure email solution into their IT infrastructure.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022