PHI stands for protected health information, meaning individually identifiable health information that is created or received by a HIPAA Covered Entity or Business Associate and that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or payment for health care, and that identifies the individual or can reasonably be used to identify the individual.
Protected health information can exist in any form, including paper records, spoken communications, images, and electronic data. When protected health information is created, stored, or transmitted electronically, it is commonly referred to as electronic protected health information. HIPAA requirements apply to protected health information handled by health plans, most health care providers that transmit health information in standard electronic transactions, health care clearinghouses, and their Business Associates.
Protected health information includes obvious identifiers such as a patient name, address, email address, telephone number, account numbers, medical record numbers, full-face photographs, and other unique identifying numbers or characteristics. It also includes combinations of details that identify an individual when linked to health care or payment, such as an appointment detail tied to a diagnosis, a test result linked to a person, or billing information connected to a patient identifier. The status of information as protected health information depends on whether it is individually identifiable and related to health care or payment, not on whether it is contained in a medical chart.
Certain categories of information are not protected health information under HIPAA, including employment records held by an employer in its role as an employer and education records covered by the Family Educational Rights and Privacy Act. Health information that has been de-identified under HIPAA is not protected health information. HIPAA protections also extend to a decedent’s protected health information for 50 years following the date of death.
Organizations use the term protected health information to identify data that is subject to safeguards under the HIPAA Privacy Rule, the HIPAA Security Rule when electronic, and the HIPAA Breach Notification Rule when an impermissible use or disclosure involves unsecured protected health information.
HIPAA Staff Training Related to PHI
HIPAA staff training supports correct handling of protected health information by ensuring workforce members can recognize when information is PHI and apply organizational policies under the HIPAA Privacy Rule and the HIPAA Security Rule. Training should be assigned to employees, medical staff, contractors, volunteers, students, and temporary personnel whose duties may involve access to PHI, with onboarding training completed within three months of hire and refresher training completed annually, plus additional training when policies change or after an incident. Training content should define PHI and common identifiers, distinguish PHI from de-identified data and non-covered records, and set role-based limits on use, disclosure, access, storage, and transmission. Scenario-based instruction should address minimum necessary uses for non-treatment functions, secure workstation and device practices, and reporting steps for suspected unauthorized access or disclosure. Online training with module assessments, completion certificates, and administrative reporting supports documentation and oversight.