What Is PHI (Protected Health Information)?
PHI is any individually identifiable health information transmitted or maintained by a HIPAA covered entity or business associate, in any form or medium, that relates to a person's past, present, or future physical or mental health, treatment, or payment for care.
- Billing teams must apply the Minimum Necessary Rule to every PHI access — only the data needed for the specific task.
- Common audit failures include sending claims via unencrypted email, including full PHI in support-ticket screenshots, and sharing patient lists in unsecured shared drives.
PHI (Protected Health Information)
Also known as: Protected Health Information; Individually Identifiable Health Information
PHI is any individually identifiable health information transmitted or maintained by a HIPAA covered entity or business associate, in any form or medium, that relates to a person's past, present, or future physical or mental health, treatment, or payment for care.
Definition
Defined at 45 CFR 160.103, PHI includes the 18 HIPAA identifiers when linked to health information: name, address (smaller than state), all dates (except year) directly related to an individual, phone, fax, email, SSN, medical record number, health plan beneficiary number, account number, certificate/license number, vehicle identifier, device identifier, URL, IP address, biometric identifier, full-face photo, and any other unique identifying number/characteristic. PHI in any form — paper, electronic (ePHI), or oral — is regulated. De-identified data per the Safe Harbor or Expert Determination methods (45 CFR 164.514) is no longer PHI.
Example
A claim file containing a patient's name, date of service, ICD-10 diagnosis code, and CPT procedure code is PHI. A spreadsheet with only ZIP3 (first three digits), age in years, and aggregate claim counts may qualify as de-identified under Safe Harbor and is not PHI.
Common Misconceptions
PHI is not the same as 'medical records.' A bill, an EOB, an appointment confirmation text, and even an email subject line referencing a patient's appointment can all be PHI. Equally, employer-held health information (in employment records) and FERPA-covered student health records are explicitly excluded from PHI.
Practical Application
Billing teams must apply the Minimum Necessary Rule to every PHI access — only the data needed for the specific task. Common audit failures include sending claims via unencrypted email, including full PHI in support-ticket screenshots, and sharing patient lists in unsecured shared drives.
Related Terms
HIPAA
HIPAA is the 1996 federal law that establishes national standards for protecting the privacy and security of individually identifiable health information held by covered entities and their business associates.
Read definition arrow_forwardHITECH Act
HITECH is the 2009 federal law that strengthened HIPAA by extending direct liability to business associates, increasing breach notification requirements, and creating tiered civil monetary penalties for HIPAA violations.
Read definition arrow_forwardMinimum Necessary Rule
The Minimum Necessary Rule, codified at 45 CFR 164.502(b) and 164.514(d), requires covered entities and business associates to limit uses, disclosures, and requests of PHI to the minimum necessary to accomplish the intended purpose.
Read definition arrow_forwardBusiness Associate Agreement (BAA)
A Business Associate Agreement is a HIPAA-required written contract under 45 CFR 164.504(e) between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf, establishing the vendor's permitted uses, safeguards, and breach notification obligations.
Read definition arrow_forwardWhere This Applies on MedPrecision
Need help with billing?
If this term is showing up in your denials, EOBs, or A/R aging, we can help. Get a free billing audit and we will trace the issue to its root cause.