What Does PHI Stand For?

Direct answer

PHI stands for Protected Health Information. Under HIPAA, it means any individually identifiable health information that a covered entity or business associate creates, receives, maintains, or transmits. The legal definition lives in 45 CFR 160.103. It covers paper charts, faxes, emails, billing records, voicemails, and conversations at the front desk.

What counts as PHI

HIPAA ties PHI to 18 identifier categories. If any of them appear alongside health, treatment, or payment context and the information can reasonably identify a person, it is PHI. The categories include:

• names
• addresses more specific than state
• dates related to an individual (birth, admission, discharge, death)
• phone and fax numbers
• email addresses
• Social Security numbers
• medical record numbers
• health plan beneficiary numbers
• account numbers
• certificate and license numbers
• vehicle identifiers
• device identifiers and serial numbers
• web URLs
• IP addresses
• biometric identifiers
• full-face photos
• any other unique identifying number, code, or characteristic

HHS maintains a longer discussion in its de-identification guidance. The practical test for a clinic is simpler. If a reasonable person could tie the data back to a specific patient, treat it as PHI.

Who PHI applies to

PHI rules apply to covered entities and business associates. A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with HIPAA transactions. A business associate is any vendor that handles PHI on behalf of a covered entity, such as a billing service, IT provider, or task management platform.

A small clinic is almost always a covered entity. Any software vendor it uses that touches PHI is a business associate and must sign a BAA before PHI is shared. For a fuller walkthrough of that relationship, see Covered Entity vs Business Associate.

PHI versus ePHI

PHI is the umbrella category. ePHI is the electronic subset. ePHI triggers the technical and administrative safeguards of the HIPAA Security Rule, including encryption, access controls, and audit logs. Paper and oral PHI still fall under the Privacy Rule, but they are not governed by the Security Rule specifically. For the full distinction, read ePHI vs PHI: Key Differences.

Why the definition matters for small clinics

Most compliance mistakes at small clinics are not exotic. They come from staff not recognizing that a piece of information is PHI in the first place. A few realistic examples:

• A calendar invite titled “Maria R. — colonoscopy 2pm” sent to a shared team calendar.
• A Slack DM asking a coworker if the Tuesday patient came back for follow-up.
• A photo of a paper intake form taken on a personal phone.

Each of those contains PHI. Each can become a breach under the wrong circumstances. This is why compliance programs focus on how PHI moves through everyday tools, not just EHR access. PHIGuard is built on that premise. See /hipaa for how clinic-flat pricing and a BAA at every tier change the math on vendor sprawl.

Common misconceptions

“De-identified data is PHI.” It is not, if it meets the HHS de-identification standard. But most data clinics treat as anonymous still contains identifiers.

“PHI only lives in the EHR.” PHI lives anywhere patient context exists: email, chat, calendars, task tools, voicemail, paper.

“Our vendor says they are HIPAA compliant, so we are fine.” A vendor’s self-attestation is not a BAA. Without a signed BAA, PHI must not be shared with that vendor. See PHI in Email for how this breaks down in practice.

What to do with this knowledge

Three concrete moves for a small practice:

1. Run an inventory of every tool that could touch PHI and confirm a BAA exists for each.
2. Train staff on what makes a piece of information PHI, not just where PHI is stored.
3. Centralize work that references patients into a system with audit logs and access controls.

The last point is the gap PHIGuard was built to close. Review /hipaa for the approach.