Protected Health Information (PHI) is any information in a medical record or health plan that can be used to identify an individual patient or consumer. PHI includes demographic data, medical histories, test results, insurance information, and billing records that are created, stored, transmitted, or received by covered entities or business associates.
Protected Health Information (PHI)
Regulatory Definitions
- HIPAA Privacy Rule (45 CFR §164.103): PHI is defined as individually identifiable health information that is created or received by a covered entity or business associate and relates to: (1) the past, present, or future physical or mental health or condition of an individual; (2) the provision of health care to an individual; or (3) the past, present, or future payment for the provision of health care to an individual. This includes information that can identify the individual or for which there is a reasonable basis to believe can be used to identify the individual.
- HIPAA Security Rule (45 CFR §164.304): Defines electronic PHI (ePHI) as PHI that is stored, transmitted, or otherwise held in electronic form, requiring specific administrative, physical, and technical safeguards for protection.
- HIPAA Breach Notification Rule (45 CFR §164.400): Distinguishes unsecured PHI as PHI that has not been rendered unusable, unreadable, or indecipherable through encryption or destruction, triggering breach notification obligations when compromised.