PHI (Protected Health Information)

PHI (Protected Health Information): Health Data Subject to HIPAA

What is PHI?

Protected Health Information (PHI) is health or medical data that can identify an individual, and it is protected under HIPAA (the U.S. Health Insurance Portability and Accountability Act). PHI includes any personal medical or healthcare information tied to an identifiable person. Examples of PHI are a patient’s name, address, birth date or Social Security number combined with health details (diagnoses, test results, treatment records, insurance claims, etc.). A hospital bill or lab report with patient identifiers is PHI, because it contains health data linked to an individual. By contrast, fully anonymized or aggregate health statistics are not PHI, since they cannot identify anyone.

Who must protect PHI?

Covered entities (healthcare providers, insurers, clinics) and their business associates (vendors handling health data) must follow HIPAA rules. Any system storing or processing PHI – including data warehouses and analytics platforms – must implement HIPAA safeguards. These include administrative controls (policies, staff training), physical controls (secure facilities), and technical controls (access controls, encryption, audit logging).

Identifiers

HIPAA specifies 18 types of identifiers (names, contact info, SSN, medical record numbers, etc). If health data is linked to any such identifier, it is PHI. For example, a dataset of vital signs becomes PHI if it includes patient IDs or names.