PHI Meaning: What PHI Stands For

PHI stands for Protected Health Information. It is the central term in US healthcare privacy law: any information that identifies an individual and relates to their past, present, or future health, care, or payment for care.

Legal definition

The HIPAA Privacy Rule defines PHI as individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. The key test is whether the information could reasonably identify the person and whether it involves health, treatment, or payment.

The PHI definition is found at 45 CFR § 160.103. The de-identification standard — the process for removing all identifiers so that data no longer qualifies as PHI — is at 45 CFR § 164.514. A covered entity includes health plans, healthcare clearinghouses, and most healthcare providers.

What qualifies as PHI

PHI is not a single data type. It is a combination:

• An identifier — name, address, date of birth, phone number, Social Security number, medical record number, account number, IP address, and 12 others listed under the HIPAA de-identification standard
• A health or payment context — diagnosis, treatment notes, billing records, appointment history

Remove all identifiers and the remaining data is de-identified and falls outside PHI protections. Keep even one identifier alongside health context and the entire record is PHI.

Where PHI appears outside the chart

Healthcare teams most commonly think of PHI as living in the EHR or the paper chart. In practice, PHI shows up in many other places:

• Task descriptions and assignment notes
• Scheduling and intake forms
• Prior authorization tracking spreadsheets
• Emails to vendors or insurers
• Voicemail recordings
• PDF attachments shared via cloud storage

Each of those locations creates a compliance obligation if the system handling the data does not meet HIPAA requirements.

ePHI: the electronic subset

When PHI is stored or transmitted electronically, it is called ePHI. The HIPAA Security Rule — 45 CFR Part 164, Subpart C — adds technical, physical, and administrative safeguard requirements specifically for ePHI. These include access controls, audit logs, encryption in transit, and device management.

Any software system that touches patient data needs to be evaluated as a potential ePHI system, not just clinical tools. Project management software, cloud drives, and email platforms are common examples of non-clinical tools that can hold ePHI.

Why the meaning matters for small clinics

For a practice administrator, understanding the PHI definition is the starting point for two decisions: which tools need a Business Associate Agreement (BAA), and which staff need HIPAA training on a given system.

If a tool could ever receive patient-linked information — even incidentally — it likely processes PHI. A BAA must be in place before that tool is used in those situations. For more on how to screen tools, see When a Vendor Needs a BAA.

For a practical look at where PHI shows up in clinic operations, see What Counts as PHI in a Small Clinic. For the full list of data fields that make information identifiable, see 18 HIPAA Identifiers.

PHIGuard is built around the PHI definition: every task, comment, and audit log in the platform is treated as a potential PHI surface, with access controls and a BAA included at every pricing tier.