Protected Health Information
Definition
Protected Health Information, often abbreviated as PHI, is individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA covered entity or business associate acting on its behalf. Under HIPAA, PHI includes information that relates to a person’s past, present, or future physical or mental health, healthcare services, or payment for care when it can reasonably identify the individual. This may include names, contact details, medical record numbers, diagnosis information, treatment notes, lab results, insurance information, appointment records, billing data, device identifiers, or other data points connected to a healthcare context. PHI can exist in paper files, electronic systems, emails, images, call recordings, forms, backups, analytics exports, and support tickets. Similar concepts appear in other privacy and data protection frameworks as health data, special category data, sensitive personal information, or regulated personal data. From a GRC perspective, PHI requires strong safeguards across access control, encryption, retention, audit logging, vendor oversight, incident response, and workforce training.
Real-World Examples
Patient Portal Record
A digital health startup stores appointment history, prescriptions, lab results, and patient contact details in a secure portal.
Billing and Insurance File
A small clinic sends billing records containing patient names, procedure codes, insurer details, and payment status to an authorized business associate.
Support Ticket With Health Context
A healthcare SaaS support team receives a ticket that includes a screenshot showing a patient name and treatment information.
De-Identification Workflow
An enterprise analytics team removes direct identifiers and reduces re-identification risk before using health data for reporting.
Protected health information is individually identifiable health information that is linked to healthcare, care delivery, payment, or related administrative activity. Under HIPAA, it becomes PHI when it is held or handled by a covered entity or business associate acting on its behalf.
PHI stands for Protected Health Information. In healthcare and compliance contexts, it refers to health-related information that can identify an individual and must be handled with appropriate privacy, security, access, retention, and disclosure controls.
Examples of protected health information include patient names, addresses, medical record numbers, diagnosis details, treatment notes, lab results, insurance identifiers, billing records, appointment details, prescription history, and health-related emails or portal messages when tied to an identifiable person.
Information is generally not PHI when it is not connected to an identifiable individual in a regulated healthcare context. For example, fully de-identified health statistics, generic wellness content, or employment records held by an employer outside a healthcare role may fall outside PHI, depending on how the information is created, used, and maintained.
PHI is the broader category of protected health information in any format, including paper, verbal, image, and electronic records. ePHI means electronic protected health information, such as health data stored in databases, cloud systems, emails, backups, mobile apps, APIs, or file shares.
PII means personally identifiable information and can apply across many contexts, such as finance, employment, education, and consumer services. PHI is a more specific category of identifiable health information connected to healthcare services, payment, or operations under HIPAA. Some data can be both PII and PHI.
Organizations should protect PHI with role-based access, strong authentication, encryption, audit logging, secure transmission, retention rules, workforce training, vendor due diligence, incident response procedures, and periodic risk assessments. Controls should cover both production systems and supporting locations such as backups, exports, tickets, and analytics tools.
Protected health information may be shared when there is an authorized purpose, appropriate permission, or a valid operational need such as treatment, payment, healthcare operations, required reporting, or approved business associate support. Organizations should apply minimum necessary access, document sharing decisions, and confirm that recipients are authorized.
PHI can be de-identified by removing or transforming identifiers so the information can no longer reasonably identify an individual. Common approaches include removing direct identifiers, generalizing dates or locations, suppressing rare attributes, aggregating results, and validating that re-identification risk is acceptably low.
Common PHI risks include unauthorized access, phishing, misdirected emails, weak permissions, unencrypted devices, exposed cloud storage, insecure APIs, excessive data retention, poorly managed vendors, lost paper records, and insufficient audit logging. These risks can lead to privacy incidents, regulatory exposure, patient harm, and loss of trust.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-07 | WatchDog GRC Team | Initial publication |
