Awareness article
What Counts as PHI in a Small Clinic
A direct explanation of what protected health information includes, where it appears outside the chart, and how healthcare teams accidentally create PHI in ordinary workflows.
Short answer
PHI is identifiable information tied to a person's health, care, or payment for care. In practice it shows up far beyond the chart, including in tasks, messages, spreadsheets, forms, and operational notes. It helps clinics turn HIPAA requirements into assigned owners, recurring reviews, dated evidence, and practical controls that can be explained during an OCR inquiry.
PHI is identifiable information that relates to a person’s past, present, or future health, treatment, or payment for care. If your team can tell who the patient is and infer something about care or billing, the workflow probably contains PHI.
What counts as PHI
PHI usually combines two elements:
- an identifier that points to a person
- health, treatment, or payment context
That means PHI can exist in a diagnosis note, but it can also exist in a message that says, “Call Ana back about her MRI authorization.”
Where PHI shows up outside the EHR
Healthcare teams commonly create PHI in:
- task titles and assignment notes
- intake and scheduling forms
- prior authorization trackers
- spreadsheets and shared drives
- incident reports
- support emails sent to vendors
Common PHI mistakes
Teams often assume the EHR is the only place where HIPAA matters. That creates a split-brain model where clinical systems are handled carefully, but operational systems are handled casually. Patient names then leak into general-purpose tools that do not have the right contract terms, access controls, or notification guardrails.
A better operating rule
If a staff member can identify the patient and infer the health or billing context from the workflow item, handle it as PHI. That rule is more useful in practice than debating edge cases after the information has already spread.
Related PHI pages
Use PHI Fundamentals for the broader definition cluster, PHI in Email for one common workflow, and PHI vendor guides if your team is screening a specific tool.
Clinic operating guidance
Treat what Counts as PHI in a Small Clinic as an operational control, not only as a reference topic. A small clinic should name the person who owns the workflow, list the systems where PHI or compliance evidence may appear, and decide what must be recorded when the issue comes up. That record can be simple, but it should show the date, the people involved, the systems checked, and the reason the clinic chose its next step.
Start with the HIPAA rule that is closest to the work. Privacy Rule topics usually require the clinic to ask whether the use or disclosure is permitted, limited to the minimum necessary where that standard applies, and consistent with patient rights. Security Rule topics usually require an inventory of systems, access controls, audit activity, and risk management follow-up. Breach topics require a fact-based review of what happened, who received the information, whether PHI was actually viewed or acquired, and what mitigation changed the risk.
Evidence to keep
For what Counts as PHI in a Small Clinic, the evidence should be practical enough for a manager to maintain. Keep the policy or checklist version that was in effect, the staff or vendor responsible for the work, and the dated notes showing what was reviewed. If the issue involves policy ownership or recurring review, preserve the screenshots, logs, tickets, messages, or vendor records that explain the decision. If it involves staff follow-up or audit evidence, record who approved the action and when the follow-up should be checked again.
Use the page topic as the operating standard: define the owner, the affected systems, the review trigger, and the evidence the clinic will keep. Those points should be reflected in the clinic’s actual records. A page that says the clinic reviews access quarterly is weaker than a review log showing the user list, exceptions, removals, and owner sign-off. A policy that says vendors are reviewed is weaker than a vendor file with the BAA status, PHI use case, renewal date, and incident contact.
Review cadence
Review what Counts as PHI in a Small Clinic when the clinic changes software, adds a location, changes staffing, receives a patient complaint, identifies a suspected incident, or updates a vendor relationship. Annual review is useful, but it is not enough when the workflow changes sooner. The clinic should also connect this topic to training so front desk, billing, clinical, and management staff understand the examples they are most likely to see.
The goal is not to create a large binder. The goal is to leave enough evidence that another reviewer can understand what the clinic knew, what rule or source it relied on, what action it took, and what still needs follow-up. That is the level of documentation that makes HIPAA work repeatable in a small clinic instead of dependent on memory.
PHIGuard commercial baseline
PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current limited offer details.
HIPAA Basics
Core definitions, rules, and operating concepts small clinics need before they can evaluate vendors or workflows.
What Is a Business Associate Agreement Under HIPAA?
Business associate agreement (BAA) explained: what it is, when HIPAA requires it, required contract elements under 45 CFR §164.504(e), and OCR penalty risk.
Accounting of Disclosures: HIPAA Definition for Small Clinics
Patients have a right to an accounting of PHI disclosures for purposes other than TPO for six years. 45 CFR § 164.528. Learn what must be tracked and reported.
Sources
- Privacy Rule Summary · HHS
- 45 CFR Part 160 and 164 · eCFR
- Security Rule Guidance Material · HHS