What does PHI Stand for in HIPAA?

An acronym of Protected Health Information, PHI is the term is commonly referred to in the Health Insurance Portability and Accountability Act (HIPAA) and other relevant legislation like the Health Information Technology for Economic and Clinical Health Act (HITECH). PHI refers to any data relating to a patient, a patient’s healthcare or the payment for that healthcare that is created, received, saved, or sent by HIPAA-covered entities.

HIPAA-covered entities are, normally, healthcare providers, health plans, healthcare clearinghouses and their business associates or third-party service providers who can view to Protected Health Information. These entities must put in place measures to secure against unauthorized disclosure, amendment or destruction of Protected Health Information as stated by the HIPAA Privacy Rule.

The Department of Health & Human Services’ Office for Civil Rights has defined PHI as any Personal Identifying Information that – individually or joined together – could be used to possibly identify a specific individual, their past, present or future healthcare, or the manner of payment. PHI does not incorporate information contained in education records or information that is managed by healthcare groups in their role as an employer.

Overall, there are 18 different eighteen unique identifiers considered to be PHI including:

PHI ceases to be PHI when it has all 18 unique identifiers removed for marketing or research purposes. Regardless, the data is still considered “protected” under the 1981 Common Rule – an Act of Congress that refers to the baseline standard of ethics under which any government-funded research in the US is held. Almost all U.S. academic institutions hold their researchers to this standard of ethics regardless of  financing.


ePHI is an acronym of electronic Protected Health Information and linked to any PHI that is created, received, stored, or sent electronically by HIPAA-covered groups. Due to the ease with which digitally-stored data can be accessed and sent, ePHI is subject to the HIPAA Security Rule as well as the HIPAA Privacy Rule. It is also governed by the HITECH ACT when a healthcare provider takes part in the Meaningful Use program.

The Security Rule primarily incorporates physical, technical and administrative safeguards to eliminate unauthorized access and disclosure of ePHI. These safeguards should be carefully reviewed by HIPAA-covered entities, as the finess for a breach of the HIPAA Security Rule can be very high – in some cases even when there has been no authorized access to – or sharing of – PHI.

In Medical Terms what is PHI?

In HIPAA, PHI refers to protected health information, but the term PHI is also often used to refer to patient health information or personal health information – any health information that is included in a medical record that relates to a person that has been created, received, used, or is managed by a HIPAA-covered entity for the reasons such as providing healthcare services or payment for healthcare services.


HIPAA Violation Penalties

Most Common HIPAA Violations Causes