What is PHI in Healthcare?

What is PHI in Healthcare – Overview

Protected Health Information (PHI) is a specific term defined by the Health Insurance Portability and Accountability Act (HIPAA), referring to information that can be used to identify an individual and relates to their health status, provision of health care, or payment for health care services. It is the medical histories, demographic information, mental health conditions, lab/test results, insurance information, and other similar data that a healthcare professional needs to have to ensure prompt and proper healthcare for an individual.

The HIPAA (Health Insurance Portability and Accountability Act) of 1996 is the main law governing the use of, access to, and disclosure of PHI in the US. Under HIPAA regulations, PHI is defined as any information, including demographic data, that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual. This also includes any healthcare provisions for an individual and the payment for providing healthcare to an individual.

HIPAA governs how this data is created, accumulated, assimilated, transmitted, stored, and maintained by any HIPAA-compliant organization. Remember, healthcare deals with sensitive personal information of patients, such as their birthdate, medical conditions, and health insurance claims. In hard copy or electronic health records (EHR), PHI details the patient’s medical history, which lists the illness, treatments, and outcomes.

What is Personal Health Information (PHI)?

What Is PHI in Healthcare

What Is PHI in Healthcare – Personal Health Information

ThHIPAA identifies 18 types of identifiers that, when linked with health information, constitute PHI because they can be used to identify an individual. Some of these identifiers can, on their own, allow an individual patient to be identified, located, and even contacted. Other aspects need to be combined with other information to identify the patient.

The 18 different information identifiers specified by HIPAA as PHI are:

  1. Name
  2. Address (anything less than the name of the state)
  3. Dates relating to an individual, such as birth date, admission date, etc. (except years)
  4. Phone number
  5. Fax number
  6. Email address
  7. Social security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate or license number
  12. Vehicle identifiers, such as license plate or serial numbers
  13. Device identifiers, such as serial numbers
  14. Web URL
  15. IP (internet protocol) address
  16. Biometric IDs, such as fingerprints or voiceprints
  17. Full-face photographs, others with identifying characteristics
  18. Any other unique identifying aspect

How is PHI Used?

From birth, an individual’s health information that meets PHI criteria can be documented and stored, often within an Electronic Health Record (EHR) system. This may include the baby’s weight, length, body temperature, and childbirth complications. This information is essential for physicians to find the context that is needed to understand a person’s health and make correct treatment decisions.

Clinical researchers and public health professionals may use de-identified PHI, from which personal identifiers have been removed, to study health trends and outcomes without compromising individual privacy. Researchers can use PHI, but only after any identifying features have been removed. This anonymized PHI can be added to a large database containing patient information for population health management programs.

De-identified PHI is also utilized in developing value-based healthcare models to enhance care quality while controlling costs without risking patient privacy. It assists healthcare providers in providing high-quality healthcare to patients. In contrast, hackers and other cyber-criminals can also seek to get their hands on PHI. This is a treasure trove of personal consumer information which is highly valued in the black market.

Besides this, sometimes cyber-criminals can also hold PHI hostage through ransomware attacks, forcing a healthcare provider (or organization) to pay in return for the safe exchange of the compromised PHI data.

Who Is Covered Under HIPAA Regarding PHI?

Under HIPAA regulations, covered entities include any healthcare provider, health plan, or healthcare clearinghouse that electronically transmits health information in connection with transactions for which HHS has adopted standards and must follow the regulation’s privacy and security rules. Some of the most commonly covered HIPAA-related entities relating to PHI are healthcare providers, such as doctors and surgeons, and the patient’s insurance providers.

Besides this, under HIPAA regulations, a third party that handles PHI is termed a “business associate” and is also subject to following HIPAA regulations concerning PHI.

For instance, an HIE (health information exchange) is a service that allows healthcare professionals to access and share a patient’s PHI. As this process involves sharing PHI through electronic transmission, the HEI is a business associate and must comply with HIPAA’s PHI regulations.


The HIPAA Privacy Rule is the main governing regulation for PHI data in the United States. It regulates the safe handling of PHI data. It dictates how hospitals, long-term care facilities, ambulatory services, and centers, as well as other healthcare providers, use and share sensitive personal information of patients. This federal framework regulates the collection, sharing, storing, and transmission of PHI anywhere in the US.

See Also

What is a Healthcare Proxy?

What is Healthcare FSA?

IDA Grant Program

EIDL Grant

DHHS Grants

Follow us