What is PHI?

Share with your network

PHI stands for Protected Health Information and encompasses all information acquired during health care services that could potentially be used to identify an individual. PHI does not only include medical records, but also communications between medical personnel regarding treatment, billing information and health insurance reports.

For information to be formally considered PHI under the law, it must be created, received, stored, or transmitted by HIPAA-covered entities. Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities are limited in the types of PHI they can collect from individuals, share with other organizations or use in marketing. HIPAA-covered entities include healthcare providers, insurance providers, healthcare clearinghouses and their business associates who have access to PHI. These entities must implement guidelines to protect against the unauthorized disclosure or destruction of PHI as required by the HIPAA Privacy Rule.

PHI is also a commodity and is valuable to clinical and scientific researchers when anonymized, as it can be used observational studies. However, PHI can be very attractive for hackers, since it can be illegally sold online or targeted as part of a ransomware attack.

PHI does not include education record information or data used by healthcare entities in their role as employers. In total, there are 18 unique identifiers considered to be PHI:  (For more information on the 18 identifiers visit: https://www.hipaajournal.com/what-does-phi-stand-for/)

  • Names
  • Geographic data
  • All elements of dates
  • Telephone numbers
  • FAX numbers
  • Email Addresses
  • Social Security Numbers
  • Medical record Numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/ license numbers
  • Vehicle identifies and serious numbers including license plates
  • Device identifiers and serial numbers
  • Web URLs
  • Internet protocol addresses
  • Biometric identifiers (e.g. retinal scan, fingerprints)
  • Full face photos and comparable images
  • Any unique identifying number, characteristic, or code