Protected Health Information (PHI)

Protected Health Information or PHI under Health Information Portability and Accountability Act or HIPAA, is any information about someone’s health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.


HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information as well as outlining numerous offenses relating to health care and sets civil and criminal penalties for violations. It also creates several programs to control fraud and abuse within the health care system.However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information.

These rules apply to "covered entities" as defined by HIPAA and the HHS. 

Covered Entities

Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA.

HIPAA Privacy Rule

The HIPAA Privacy Rule regulates the use and disclosure of PHI held by covered entities. By regulation, the Department of Health and Human Services extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of "business associates".

Business Associates

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to PHI.  A “business associate” also is a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.  The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. 

HIPAA Security Rule

The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all PHI including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information or ePHI. It lays out three types of security safeguards required for compliance:

  • administrative, 
  • physical, and 
  • technical. 

For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications.

Protected Health Information Data Fields

There are 18 Protected Health Information (PHI) data fields that businesses must protect in the course of their business operations and transactions: They are:

  1. Names;
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, or zip code;
  3. Dates (other than year) directly related to an individual;
  4. Telephone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/License numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code.

Visit the law page of this website for other articles after reading about protected health information.

Identity Theft Courses