Home Compliance StandardsHIPAA / Healthcare Industry What Is PHI (Protected Health Information)?
HIPAA / Healthcare Industry

What Is PHI (Protected Health Information)?

by RSI Security
written by RSI Security
Protected Health Information

 Every time you visit a hospital or a private doctor’s office, you’re asked a variety of personal questions. These can include details about your lifestyle, medical history, address, insurance, and other sensitive information. Naturally, you expect this information to remain confidential under doctor-patient confidentiality. Protected health information (PHI) is exactly that type of data. Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), any information that can identify a patient and relates to their health status, treatment, or payment for healthcare services is considered PHI. Unauthorized disclosure of PHI violates HIPAA’s Privacy and Security Rules and can result in significant fines and penalties for healthcare providers.

When thinking about PHI, consider these questions: How is this data stored and protected? What exactly qualifies as protected health information? And how can healthcare organizations and their business associates ensure patient privacy while remaining compliant with HIPAA?

 

HIPAA Comes Into Being

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 with two primary objectives:

  1. Protect healthcare coverage between jobs: In the 1990s, approximately 15% of Americans were uninsured at any given time, while 85% relied on employer-provided healthcare for daily medications and emergency care. Changing jobs could put both a family’s health and finances at risk. HIPAA helped ensure individuals could maintain healthcare coverage during employment transitions.
  2. Secure patient information: HIPAA also aimed to protect sensitive patient information stored in hospitals and medical records. The law standardized authorization methods to prevent unauthorized access or fraudulent activity. This became increasingly important as medical records transitioned to electronic formats, known as electronic health records (EHRs).

With these goals in place, HIPAA established rules covering implementation, auditing, enforcement, and penalties, all directly tied to the protection of Protected Health Information (PHI). Understanding HIPAA is key to understanding what qualifies as PHI and how it must be safeguarded.

Request a Free Consultation

What Is Considered Protected Health Information (PHI)?

Protected Health Information (PHI) includes any information related to your health status, medical records, payment details, and any personal information you provide to a healthcare provider. This data is considered highly sensitive and is protected under HIPAA’s Privacy and Security Rules.

HIPAA breaks PHI down into 18 specific identifiers, known as “PHI markers,” which must be treated with strict confidentiality. These markers cover everything from names, addresses, and dates, to medical record numbers and biometric identifiers. Proper handling of these details is essential for maintaining patient privacy and avoiding compliance violations.

 

 

18 Identifiers of Protected Health Information (PHI)

Under HIPAA, any record containing the following identifiers is considered Protected Health Information (PHI). Before healthcare organizations or their business associates exchange health information, which is often necessary, these identifiers must be removed or de-identified to protect patient privacy.

Note: These identifiers apply not only to the patient but also to family members, household members, relatives, and employers connected to the patient.

The 18 PHI Identifiers (Safe Harbor Method)

  1. Name – Full legal names of patients or associated individuals.
  2. Geographic Information – Addresses smaller than a state, including street, city, county, precinct, ZIP code, or equivalent geographic codes.
    • Exception: The first three digits of ZIP codes can remain if the combined population exceeds 20,000. Otherwise, they must be replaced with “000.”
  3. All Dates – Birth, death, admission, and discharge dates. Only the year is excluded.
  4. Age Over 89 – Ages over 89, including related dates, must be generalized as “90 or older” to prevent identification.
  5. Phone Number
  6. Vehicle Information – Physical descriptors, serial numbers, license plates, etc.
  7. Fax Number
  8. Device Identifiers and Serial Numbers
  9. Email Address
  10. Web URLs – That can identify patients or related individuals.
  11. Social Security Number
  12. IP Address
  13. Medical Record Number
  14. Biometric Identifiers – Fingerprints, voice patterns, signatures, DNA, etc.
  15. Health Plan Beneficiary Number
  16. Full-Face Photographs & Videos – Any images or videos that could identify the patient.
  17. Account Numbers – Other identifying numbers, characteristics, and codes.
  • Exception: Codes unrelated to the patient or that do not compromise patient identity may be used.
  1. License & Certification Numbers – Professional or organizational identifiers related to the patient.

These 18 identifiers are part of HIPAA’s Safe Harbor Method of de-identification, a standard process that ensures PHI can be shared safely between organizations without revealing the patient’s identity.

 

De-Identification of Protected Health Information (PHI)

The U.S. Department of Health and Human Services (HHS) provides two official methods for de-identifying Protected Health Information (PHI). Meeting the requirements of either method allows healthcare organizations and their business associates to safely transfer health records without compromising patient privacy.

1. Expert Determination Method

This approach relies on statistical analysis and accepted scientific principles to ensure that the risk of identifying a patient is statistically insignificant. It considers one or a combination of health identifiers to verify that the patient cannot reasonably be recognized.

Healthcare organizations must have expertise in these principles and knowledge of the 18 PHI identifiers to perform this analysis. HHS also requires that organizations document their procedures and justify how the analysis ensures safe information exchange.

2. Safe Harbor Method

The Safe Harbor Method involves removing all 18 PHI identifiers from any records exchanged, covering both the patient and related individuals. Additionally, the organization or business associate transferring the information must not have knowledge of any method that could be used to identify the patient.

Both methods ensure that health records can be shared for legitimate purposes while remaining compliant with HIPAA’s Privacy and Security Rules

 

Healthcare Organizations and Business Associates of HIPAA-Covered Entities

HIPAA protection extends beyond the healthcare organization itself, covering the exchange of Protected Health Information (PHI) with business associates. Even after PHI leaves the hands of the healthcare provider, the organization remains legally responsible for its security.

To comply with HIPAA, healthcare organizations often require their business associates—such as billing companies, IT service providers, or third-party vendors, to follow the same security frameworks and organizational practices. This ensures consistent protection of PHI throughout its lifecycle, reducing the risk of unauthorized access or compliance violations.

 

HITECH: HIPAA’s Partner in Protecting PHI

Before 2009, HIPAA’s protections for Protected Health Information (PHI) did not fully extend to the business associates of covered entities. HIPAA’s mandates applied only to HIPAA-covered entities, relying on good faith from external partners. This left gaps in the protection of sensitive health information.

To address these gaps, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was enacted. HITECH strengthened HIPAA by modernizing policies, closing loopholes, and reinforcing the security of patient records.

The primary purposes of HITECH include:

  1. Adoption of Electronic Health Records (EHRs): HIPAA, created in 1996 during the early dot-com era, encouraged the use of emerging computer technologies. By 2009, digitization of health records became essential for U.S. healthcare to keep pace with global standards.
  2. Closing HIPAA Loopholes: HIPAA did not fully hold business associates to the same compliance standards. HITECH reinforced HIPAA’s language, made data breaches publicly reportable, and required stricter security protocols.

Strengthening Penalties for Noncompliance: HITECH established tougher penalties for organizations that failed to comply with HIPAA rules and empowered the Office for Civil Rights (OCR) to enforce them. Previously, some violations carried minimal consequences, reducing incentives for healthcare organizations to update internal policies.

Rise of Electronic Health Records (EHRs) and ePHI

One of the most significant impacts of the HITECH Act was the rapid adoption of Before HITECH, only about 10% of hospitals and healthcare providers had adopted EHR systems.

To put this in perspective, the first iPhone was released in 2007, giving people internet access in their pockets, while the majority of hospitals were still manually recording and filing patient information.

HITECH’s stricter penalties and incentives accelerated adoption, and by 2017, 86%–96% of hospitals had implemented EHRs. This shift not only improved patient care and record accuracy but also reinforced the protection of ePHI under HIPAA regulations.


Tougher Penalties for HIPAA Violations

One of HITECH’s most significant impacts was strengthening penalties for HIPAA violations. Before HITECH, healthcare organizations could claim ignorance and be fined as little as $100 per violation, with a maximum of $25,000. Business associates, in many cases, could avoid penalties entirely. Limited funding from the Department of Health and Human Services (HHS) further allowed some organizations to escape consequences.

HITECH transformed this landscape by allocating $25 billion to enforce HIPAA compliance, close loopholes, and ensure that both healthcare organizations and their business associates faced real financial and legal consequences for mishandling Protected Health Information (PHI). This created a strong incentive for organizations to adopt robust security measures and protect patient data effectively.


HITECH’s Four-Tiered Penalty System for HIPAA Violations

HITECH introduced a four-tiered penalty system for HIPAA violations, designed to scale fines based on an organization’s level of awareness and response to compliance issues. Penalties are determined by whether the organization exercised due diligence and corrected violations promptly, or if there was willful neglect.

Tier 1 – Unaware with Prompt Correction

If a healthcare organization or business associate was unaware of the violation and could not have reasonably known, but corrects the issue within 30 days:

  • $100 – $50,000 per violation
  • $1.5 million maximum per year

Tier 2 – Reasonable Cause

If there is reasonable cause that the organization could have known about the violation with due diligence:

  • $1,000 – $50,000 per violation
  • $1.5 million maximum per year

Tier 3 – Willful Neglect, Corrected Promptly

If the organization was aware of the violation but corrected it within 30 days:

  • $10,000 – $50,000 per violation
  • $1.5 million maximum per year

Tier 4 – Willful Neglect, No Correction

If the organization knowingly violated HIPAA rules and takes no corrective action:

  • $50,000 per violation
  • $1.5 million maximum per year

This tiered system incentivizes proactive compliance and ensures that organizations handling Protected Health Information (PHI) take violations seriously.

 

HIPAA Privacy Rule and Security Rule

Protected Health Information (PHI) is the core focus of both the HIPAA Privacy Rule and Security Rule. Together, these rules provide healthcare organizations with guidelines for safeguarding PHI and ensuring compliant operations.

HIPAA Security Rule

The Security Rule requires healthcare organizations to implement administrative, physical, and technical safeguards that meet national standards. It also mandates risk assessments and risk management practices to prevent unauthorized access or compromise of PHI.

HIPAA Privacy Rule

The Privacy Rule governs the use and disclosure of PHI and ePHI, ensuring patient information is handled appropriately. It establishes regulations around medical records, including all 18 PHI identifiers, to protect patient privacy and maintain compliance.


HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule, strengthened by HITECH, provides strict guidelines for healthcare organizations when Protected Health Information (PHI) is exposed in a data breach.

Under this rule, organizations must promptly notify:

  • Affected individuals whose PHI has been compromised.
  • Media outlets if the breach affects a large number of individuals.

These requirements ensure transparency, maintain patient trust, and hold organizations accountable for protecting sensitive health information. Compliance with the Breach Notification Rule is a critical component of HIPAA and HITECH enforcement.

 

What Health Information Is Not Considered PHI

Not all health information qualifies as Protected Health Information (PHI). For example, wearable devices and mobile applications that track biometric such as heart rate, blood pressure, or activity levels—do not fall under HIPAA protections unless the company is a HIPAA-covered entity or a business associate of one.

Instead, these companies regulate the use of your health data through their Terms of Service, specifying how your personal information can be collected, stored, and shared. Users should carefully review these terms to understand their data privacy rights


Is Your Organization Protecting PHI?

To ensure your systems effectively safeguard electronic Protected Health Information (ePHI), your organization must be fully HIPAA and HITECH compliant. Compliance is critical to avoiding the substantial fines and penalties associated with the Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule.

Partnering with experts, such as RSI Security, can help your organization implement robust security measures, maintain compliance, and protect sensitive patient data against breaches and unauthorized access.

Download Our HIPPA Checklist


Sources:

United States Census Bureau. Health Insurance Coverage: 1995. https://www.census.gov/library/publications/1996/demo/p60-195.html

HHS. Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#coveredentities

HIPAA Journal. What is the HITECH Act? https://www.hipaajournal.com/what-is-the-hitech-act/

HIPAA Journal. What are the Penalties for HIPAA Violations? https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

HHS. The Security Rule. https://www.hhs.gov/hipaa/for-professionals/security/index.html

HHS. The HIPAA Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

HHS. HITECH Breach Notification Interim Final Rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification/laws-regulations/final-rule-update/hitech/index.html

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

What are Covered Entities Under HIPAA?

March 29, 2023

What is HIPAA and What is its purpose?

June 20, 2023

HIPAA Security Rule Requirements for Covered Entities

March 21, 2024

HIPAA Breach Notification Rule – What does it...

March 9, 2021

Guide to HIPAA Compliance Self Assessment

October 10, 2025

Securing PHI on Mobile Devices: HIPAA-Compliant Mobile Device...

March 26, 2025

Healthcare Penetration Testing for HIPAA Compliance

March 19, 2021

What to Look for in HIPAA Consulting Partners

August 7, 2023

Safe Harbor Provisions Under HIPAA Explained

May 25, 2021

Ensuring HIPAA Compliance in Telemedicine: A Comprehensive Guide

December 11, 2024

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More