As per HIPAA compliance, PHI (Protected Health Information) is a category of information that includes all individually-identifiable health information such as personal info (name, address, date of birth, etc.), health status, past medical record, and health care payments. According to the HIPAA Privacy Rule, forms of PHI can be oral, written, or electronic.
Protected Health Information Disclosure
PHI is protected in the sense that it is forbidden to use or disclose except in narrowly authorized circumstances. For example, PHI can be used when doctors need patient data to perform their job, in emergency situations, and when treatment occurs in collaboration with other health providers or associates. PHI is not protected when attached to large data sets that have had personally-identifiable information removed or obscured, as in medical research.
What is Electronic Protected health information (ePHI)?
Any PHI data that is created, transmitted, received, or stored electronically is referred to as Electronic PHI (ePHI) and must be handled with the appropriate security controls in compliance with HIPAA Security Rule requirements.
Unauthorized use or disclosure of PHI or ePHI by Covered Entities (e.g. hospitals, doctors, health insurance companies) and Business Associates (third-parties such as cloud billing services) brings the risk of severe civil and criminal penalties.
Types of PHI
For reference, the 18 types of information that are classified as PHI are:
Dates (of appointments, payments, etc.)
Social Security number
Medical record number
Health plan / insurance beneficiary number
Certificate / license number
Any vehicle identifiers (e.g. license plate number)
Device identifiers and serial numbers
Web URLs (Links)
Internet Protocol (IP) address
Biometric identifiers (finger / retinal / voice)
Any other characteristic that may be used to uniquely identify the individual