PHI (Protected Health Information)

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity or business associate under HIPAA. PHI includes any information about health status, provision of healthcare, or payment for healthcare that can be linked to an individual. This encompasses medical records, billing information, insurance claims, lab results, prescription data, and any other health-related information tied to identifiable individuals. The HIPAA Privacy Rule protects PHI in any form—electronic (ePHI), paper, or oral. Information is considered individually identifiable if it includes common identifiers (name, address, birth date, Social Security number) or if there's a reasonable basis to believe it could identify an individual. PHI receives heightened protection because of its sensitivity and potential for discrimination or harm if disclosed. Covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates must implement administrative, physical, and technical safeguards to protect PHI. Uses and disclosures of PHI are restricted—generally requiring patient authorization except for treatment, payment, and healthcare operations. De-identified health information that meets HIPAA's de-identification standards is not PHI and can be used more freely. Breaches of unsecured PHI trigger notification requirements and potential penalties.