Protected Health Information (PHI) is patient data regulated and protected under HIPAA security standards.
Protected Health Information (PHI) includes any personal details that identify an individual plus their medical history or treatment plan. When healthcare providers or their business partners store plus transmit this data digitally through cloud databases or electronic health records, it is known as Electronic Protected Health Information (ePHI). Both formats fall under the protection of federal regulations to ensure patient privacy remains a top priority across all platforms.
The HIPAA Privacy Rule and HIPAA Security Rule provide the legal framework for managing these records. While HIPAA sets the baseline for privacy, the HITECH Act introduced stricter technical requirements for digital data. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces these standards to hold organizations accountable for how they handle sensitive patient information. This oversight ensures that your medical data stays secure while allowing for efficient healthcare operations.
Who Qualifies as a HIPAA Covered Entity?
Covered entities under HIPAA include three main groups:
- Health plans – such as insurance companies, HMOs, employer health plans, and government programs like Medicare and Medicaid.
- Healthcare clearinghouses – organizations that process or translate health information from one format to another, often acting as intermediaries between providers and payers.
- Healthcare providers – including doctors, clinics, hospitals, pharmacies, dentists, and other practitioners, but only if they transmit health information electronically in connection with certain transactions as defined by HHS.
These covered entities are subject to HIPAA’s requirements for protecting and managing PHI. However, covered entities are not alone in bearing HIPAA responsibilities. Business associates also have specific responsibilities for protecting PHI and meeting HIPAA requirements.
Business Associates and PHI: Obligations, Risks, and Requirements
A business associate is any individual or organization that performs services on behalf of a covered entity and, in doing so, creates, receives, maintains, or transmits PHI. Business associates are directly bound by the HIPAA Privacy and Security Rules and can be held liable for violations, even independent of the covered entity they serve.
Who Qualifies as a Business Associate?
Business associates include a wide range of vendors and service providers, such as:
- Healthcare IT vendors and software developers building EHR, billing, or practice management platforms
- Cloud storage and hosting providers (e.g., AWS, Microsoft Azure, Google Cloud) that store ePHI
- Third-party billing and coding companies
- Legal, accounting, and consulting firms that access PHI in their work
- Health information organizations and personal health record vendors
- Data analytics and business intelligence platforms processing patient data
- Communication solution providers (secure messaging, telehealth, patient portals)
Business Associate Agreements (BAAs)
Any covered entity that shares PHI with a business associate must execute a Business Associate Agreement (BAA) prior to exchanging protected data. The BAA is a legally binding contract that:
- Specifies how the business associate may use and disclose PHI
- Requires the business associate to implement appropriate safeguards
- Mandates reporting of security incidents and breaches to the covered entity
- Establishes data return or destruction procedures upon contract termination
- Requires the business associate to ensure any subcontractors also comply with HIPAA
Healthcare IT vendors, partners, and business associates of healthcare providers must sign BAAs to clarify how PHI is being safeguarded under HIPAA. Operating without a BAA exposes both parties to significant regulatory and financial risk.
How PHI and HIPAA Compliance Applies to Software Vendors
Software vendors that build products used by healthcare organizations, such as CRMs, communication platforms, productivity suites, or data analytics tools must follow HIPAA requirements when their software touches patient data. This includes:
- Technical safeguards: Role-based access controls, encryption at rest and in transit, audit logging, and automatic session timeout (automatic logoff) on devices that access ePHI.
- Physical safeguards: Protections for servers, data centers, and any hardware that stores or processes PHI.
- Administrative safeguards: Administrative policies and workforce training to ensure staff handling PHI understand their obligations.
- Breach response: Defined procedures for detecting, reporting, and mitigating PHI breaches, including notification to covered entities within required timeframes.
Cloud providers such as Amazon Web Services (AWS) define responsibilities for both parties under a shared responsibility model and provide a Business Associate Agreement (BAA) to formalize HIPAA obligations. Vendors should thoroughly review these agreements and ensure their architecture and operations align with both their own BAA obligations and the shared responsibility model.
Why Covered Entities Must Monitor Business Associate Compliance
Keeping an eye on business associates’ HIPAA compliance is more than just good practice. If a healthcare organization partners with an outside vendor to handle PHI and that vendor fails to meet HIPAA requirements, the covered entity may still face penalties if it knew or should have known about compliance lapses and failed to act.
Monitoring practices, periodic risk assessments, and maintaining open communication with business associates help ensure everyone is upholding their responsibilities. This proactive approach reduces legal exposure and demonstrates due diligence if an incident occurs.
What Are the 18 HIPAA Identifiers of Protected Health Information?
Health information connected to personally identifiable information must be safeguarded and comply with HIPAA guidelines.
The HIPAA Privacy Rule defines 18 specific identifiers that constitute personally identifiable information. If health information is associated with any of these identifiers, it is considered PHI and subject to HIPAA protections:
- Name
- Address (all geographic subdivisions smaller than state, including street address, city, county, and ZIP code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle or device serial numbers
- Web URLs
- Internet Protocol (IP) addresses
- Finger or voice prints
- Photographic images (not limited to images of the face)
- Full-face photographs and comparable images
- Any other unique identifying number, characteristic, or code
Information containing any of these identifiers, or partial identifiers such as initials, is considered “identified” and is subject to HIPAA requirements. Data is only considered “de-identified” when all 18 identifiers are removed. However, simply removing these identifiers may not guarantee complete anonymity. Since the original list was established, new methods of re-identification have emerged – including social media handles, behavioral patterns, and contextual clues. Organizations must carefully examine data sets before disclosing de-identified data, especially to third parties such as researchers.
Is a Patient’s Treatment Information Protected When Shared with an Employer?
The protection of health information shared between a medical professional and an employer depends on the situation and applicable consent.
In most cases, a medical professional cannot discuss a patient’s treatment details with the patient’s employer without explicit patient authorization. Exceptions exist under the Privacy Rule for disclosures strictly related to workplace injuries or illnesses requiring documentation for state workers’ compensation programs or OSHA compliance. In these limited cases, only the minimum necessary information may be disclosed.
Permissible Uses and Disclosures of PHI Under the HIPAA Privacy Rule
The HIPAA Privacy Rule outlines how PHI can be used or shared. In most scenarios, organizations and their business associates are permitted to use or disclose PHI without patient authorization only for purposes related to treatment, payment, or healthcare operations:
- Treatment: Sharing PHI among providers for the provision or coordination of patient care.
- Payment: Using PHI to bill and collect payment from patients, insurance companies, or other payers.
- Healthcare Operations: Activities like quality assessment, credentialing, auditing, and business management.
Additional circumstances where PHI can be disclosed without authorization include when required by law, for public health activities, or in response to court orders or subpoenas – always with proper safeguards in place.
Is My Data Protected Health Information?
If a device or application stores, records, or transmits personally identifiable health data to a covered entity, it is PHI and must be handled in a HIPAA-compliant manner.
If your organization does not plan to interact with a covered entity, HIPAA regulations generally do not apply (example: a consumer step-tracking app). However, if your organization plans to interact with EHR systems, healthcare providers, or other healthcare stakeholders, or if you build software such as CRMs, communication solutions, or productivity tools that interact with patient data, your organization must manage data in a HIPAA-compliant manner.
Not all health information is automatically PHI under HIPAA. The determining factor is whether the data is connected to a covered entity or used on behalf of one. Personal health device developers and wellness app vendors generally fall outside HIPAA’s scope unless they are specifically contracted by or providing services for a covered entity or business associate. However, organizations that experience a breach of unsecured health data may still be required to comply with the Health Breach Notification Rule under Section 5 of the Federal Trade Commission Act.
PHI Examples: What Qualifies and What Doesn’t
Examples of Protected Health Information (PHI)
- Patient-provider communications: Messages sent between patients and healthcare providers.
- Test and lab results: Data or applications that share results with healthcare entities.
- Wearable devices: Devices provided by healthcare providers or where data is shared with covered entities.
Examples of Data That is NOT Protected Health Information (PHI)
- Fitbit step data: Fitness data collected for personal use with no connection to a covered entity.
- Personal health records: Health records that will not be shared with healthcare providers, health plans, or other covered entities.
- Meal tracking: Personal tracking of behavior or habits unconnected to a covered entity.
Requirements Around Protected Health Information (PHI)
The Minimum Necessary Standard
The minimum necessary standard is a cornerstone of HIPAA compliance, requiring that organizations use or disclose only the least amount of PHI needed to accomplish a given task. While pivotal for patient privacy, over-applying the standard can hinder essential communication or conflict with other HIPAA obligations. Striking the right balance ensures healthcare teams can provide quality care without putting sensitive information at unnecessary risk.
How State Laws Interact with HIPAA
HIPAA is not always the final word on privacy and security of PHI. In many cases, state laws may set stricter standards or provide greater rights to individuals. When state regulations set stricter protections, those state laws take precedence. Organizations handling PHI, such as business associates and software vendors must stay aware of both federal and state requirements and apply all applicable safeguards and protections related to privacy and security.
Data Backup, Emergency Mode, and Disaster Recovery Plans
Under the HIPAA Security Rule, organizations are required to have safeguards that protect the ongoing confidentiality, integrity, and availability of ePHI. This applies to both covered entities and business associates. Comprehensive backup and recovery strategies are essential for ensuring patient data can be quickly restored in emergency situations:
- Data backup: Ensures copies of patient information exist in secure locations and can be restored if the original data is lost or compromised.
- Emergency mode operations plans: Provide step-by-step instructions for keeping critical systems running during a crisis.
- Disaster recovery plans: Set the blueprint for returning to normal operations after incidents, minimizing downtime and protecting patients’ interests.
Access Controls for IT Systems
Healthcare organizations and business associates must implement access controls standards to protect patient data. All entities handling protected health information must implement unique user identification to track activity within electronic systems. Authentication methods should utilize strong passwords and encrypted transmission. Role-based access control should restrict user access to just data and services relevant to specific job functions.
Automatic Logoff for Devices Accessing ePHI
The HIPAA Security Rule also requires teams to implement automatic logoff where applicable (addressable). This functionality provide an extra layer of defense for ePHI by ensuring access is restricted when a device is left idle. This is especially critical in busy clinical settings and applies equally to business associate systems and third-party vendor platforms that access ePHI. Healthcare teams, business associates, and software vendors should implement automatic logoff, alongside strong authentication – such as unique user IDs and complex passwords.
Breach Notification Requirements
HIPAA has specific breach notification requirements for cases where protected health information (PHI) is unintendedly disclosed. Covered entities and business associates must have documentation and processes in place for notifying affected individuals in a timely manner and notifying OCR, if a security breach occurs. Organizations should consider adopting appropriate administrative policies and procedures that include an Incident Response Plan and Breach Policy.
Individual Rights Under the HIPAA Privacy Rule
The HIPAA Privacy Rule grants patients several important rights regarding their PHI:
- Right to access: Patients can request copies of their medical records and other health information maintained by a covered entity or business associate.
- Right to amend: Patients can request corrections or amendments to errors or incomplete details in their records.
- Accounting of disclosures: Patients can request a record of when and why their PHI was shared with others, excluding disclosures for treatment, payment, or healthcare operations.
Covered entities and their business associates must respond to these requests within specific timeframes (typically 30 days). Failure to fulfill these obligations can trigger OCR investigations and significant penalties.
Procedures for Responding to HIPAA Rights Requests
Teams should establish clear procedures for handling patient requests and fulfilling requirements of the HIPAA Privacy Rule. Organizations need a reliable way to confirm a patient’s identity before releasing information, preventing unauthorized access and minimizing breach potential. Staff must understand how to review and respond to unique circumstances, such as when a confidentiality request conflicts with other healthcare obligations. This applies to both covered entities and business associate organizations that may receive or process such requests.
Authorization Forms and §164.508 of the Privacy Rule
Authorization forms serve as a crucial safeguard for patient privacy. When these forms meet required standards and contain all core elements, clear language, and proper completion, they provide legal permission to use or disclose PHI as specified by patients. If any element is missing or unclear, the authorization is not valid, and sharing PHI based on that document would constitute a HIPAA violation. Organizations must retain completed authorization forms for no less than six years.
Securing Protected Health Information (PHI)
Adopt Administrative Policies Designed Around Your Organization
Healthcare teams and business associates should adopt a set of HIPAA administrative policies and procedures based on their organization structure, technologies, and general operations. Policies should be written in plain-English, address applicable HIPAA Security Rule and HIPAA Privacy Rule, and focus on realistic rather than aspirational standards.
Implement HIPAA Technical Safeguards & Compliant Infrastructure
Healthcare teams and business associates should implement appropriate technical safeguards across IT environments. Safeguards and internal controls around encryption, access control, disaster recovery must be applied to all resources that come into contact with PHI. Ensure that you have signed a business associates’ agreement (BAA) with all vendors and IT infrastructure providers that will store, transfer, or process protected health information (PHI). Software platforms such as Dash ComplyOps can help teams build a robust compliance roadmap, implement technical controls, and maintain HIPAA/HITECH compliance.
Provide Security Training for Your Workforce to Understand HIPAA and PHI
Healthcare teams and business associates should provide HIPAA security awareness training to all team members, clinical and non-clinical.
Organizations must regularly train all workforce members on what constitutes PHI, including real-world examples from day-to-day scenarios (on an annual basis or sooner). Training should clarify that non-medical staff such as billing, IT, and administrative personnel may encounter or process PHI and are equally bound by HIPAA obligations. This is just as relevant for business associate organizations as it is for covered entities. Training should address both federal HIPAA rules and applicable state privacy laws.
Common Misconceptions About PHI
There has been some confusion around the definition of PHI and overall requirements across HIPAA rules. Key definitions and requirements are spread across several sections documents the HIPAA Security Rule (45 CFR §160 and 45 CFR §164 Subparts A and C) and the HIPAA Privacy Rule (45 CFR §164.501). This makes it challenging for organizations, developers, and legal teams to determine exactly what data qualifies.
There is also frequent overlap between PHI, Personally Identifiable Information (PII), and Individually Identifiable Health Information (IIHI). While related, HIPAA treats these differently depending on context and usage. Without a clear at-a-glance checklist in the regulations, many explanations oversimplify or miss important nuances.
The Risks of Misunderstanding PHI
Failing to clearly understand what data qualifies as PHI can have significant consequences:
- Unintentional exposure, mishandling, or improper sharing of sensitive data can lead to HIPAA violations, OCR investigations, steep fines, and reputational damage.
- Lack of security roles and internal controls can disrupt overall operations and restrict how teams provide patient care.
- For business associates and software vendors, misclassifying PHI can result in inadequate contractual protections, BAA violations, and downstream liability for their covered entity customers.
The key takeaway: It is critical to identify and set appropriate protections for how PHI is handled and how it applies to your role as a covered entity, business associate, or software vendor.
Need Help With HIPAA Compliance?
Navigating complex healthcare regulations such as HIPAA/HITECH feels overwhelming for many expanding healthcare organizations, software companies, and startups. Dash ComplyOps simplifies this journey by providing gap assessment services and security modules for automating policy creation, technical control implementation, operational tasks, and risk management.
Learn how Dash can accelerate your path to a robust HIPAA security program. Discover how teams streamline healthcare data protection and build for sustainable compliance with Dash ComplyOps.
