Direct Mail

What is PHI (Protected Health Information) Under HIPAA?

By 1 February 2024April 16th, 2024No Comments
phi protected health information

What Is PHI, And Why Is It Important For Your Healthcare Organization?

The healthcare industry is perhaps one of the most tightly wound and strictly regulated industries in the US. Even accessing healthcare information requires you to jump a lot of hurdles. And PHI is probably the biggest hurdle you need to overcome.

phi protected health information

Many companies are scared to handle PHI Protected Health Information because they are unaware of its use or how they can use it. Most of them only have half-baked ideas about PHI data. But one thing everyone knows is that misusing PHI data could lead to some pretty awful consequences.

But, for many business organizations, there is no choice but to use PHI health data. Here, we explain in detail Protected Health Information and how organizations can effectively use it without risking a hefty penalty.

What is Protected Health Information?

In layman's terms, Protected Health Information is any health-related information that could reveal an individual's identity. However, once you learn more about Protected Health Information PHI, this definition may seem oversimplified.

A more technical definition of Protected Health Information would sound something like

“Protected Health Information is any healthcare information that HIPAA-covered entities and their business associates create, receive, store, or transmit for healthcare services and operations.”

Now, if you are someone who has never heard of Protected Health Information PHI, the above sentence may not make any sense at all. However, three terms in that definition stand out:

  • Covered Entities
  • Business Associates

Perhaps, if you knew what these three terms mean, you could better understand what is PHI from that definition. But, before we explain these terms and what they mean, let's first take a look at PHI and the information that comes under PHI.

What Is ePHI?

The first implementation of HIPAA regulations in the US was back in 1996 when all medical records were physical. But that doesn't mean that PHI health data in digital format doesn't enjoy the same security as regular PHI.

With the increasing digitization of healthcare operations, HIPAA added a new provision to bring health data in electronic form under its regulation. ePHI or Electronic PHI Protected Health Information involves all healthcare information created, stored, or transmitted electronically.

Healthcare organizations usually use mHealth or eHealth products for data operations involving ePHI data. And the reason that you may not have heard of ePHI is that the healthcare industry often uses it as synonymous with PHI.

What Is HIPAA, And How Does It Protect PHI Health Data?

You can't understand what is PHI and how vital it is to protect it without first learning about HIPAA. The Health Insurance Portability and Accountability Act or HIPAA is a federal law that protects sensitive patient health information from unauthorized disclosures.

It keeps a patient's health records and healthcare data that could reveal their identity and avoid misuse of their healthcare information. HIPAA defines which data requires protection as PHI and which isn't. It also explains who or what can access the PHI health data.

HIPAA offers stringent restrictions on individuals and organizations that handle PHI data. Your healthcare organization may face severe consequences if it fails to comply with HIPAA regulations and protect PHI data.

What Are Covered Entities?

Whenever you search for something relating to sensitive Protected Health Information, the term covered entity always comes up. We discussed this term above when we defined PHI for you. So, what is this so-called covered entity? And is your healthcare or insurance organization classified as one?

According to HIPAA, a covered entity is any individual or organization that regularly handles PHI health data. In other words, you could also say that covered entities are individuals and organizations that must comply with HIPAA regulations.

Covered entities under HIPAA come under one of the three categories listed below:

  • Healthcare Providers
  • Health Plans
  • Healthcare Clearinghouses

Healthcare Providers

It should be no surprise that healthcare providers are among the first that need to ensure HIPAA compliance. Healthcare providers like hospitals and clinics are practically the source of many valuable PHI Protected Health Information.

There is a rather long list of healthcare providers that come under the scrutiny of HIPAA regulations. And unlike what you might think, hospitals and clinics are not the only healthcare providers under HIPAA rules. Here are the other major Healthcare Providers that need to safeguard their PHI data.

  • Hospitals
  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

So, suppose you see your business organization on the list above. In that case, you need to ensure you keep your PHI health data protected.

Health Plans

Government programs such as Medicare and Medicaid that pay for healthcare services are health plans, and they are subject to HIPAA rules. Besides them, HIPAA also considers military and veterans' health care programs as health plans. The other major health plans under HIPAA are as follows.

Health Insurance Providers

If yours is a health insurance business, you already know that you regularly deal with sensitive Protected Health Information. It means you need to ensure HIPAA compliance everywhere you use patient data. And yes, it means ensuring HIPAA compliance even for sending your monthly billing statements via mail.

Health Maintenance Organizations or HMOs

Health Maintenance Organizations HMOs provide health coverage much like a health insurance provider. But there is one key difference. HMO coverages are limited to healthcare from doctors or institutions in contractual agreements with the insurance provider.

Company/Organization Health Plans

Let's say for a second that your company or organization has nothing to do with patients or PHI health data. Your company may still be a covered entity if you provide health insurance to your employees. In this case, you will inevitably need to collect PHI data from them.

Healthcare Clearinghouses

Organizations that process nonstandard health information to a standard one or vice versa are called Healthcare Clearinghouses. A clearinghouse takes PHI health data from an entity and standardizes the data.

It then sends the standardized PHI data as output to another entity or organization. As you can see, the clearinghouses merely provide the PHI data from one organization to another. Yet, it is considered a covered entity under HIPAA. That's how serious HIPAA is about protecting PHI data.

Read more about: Top 10 Best HIPAA Compliant CRM Software for Healthcare

What Are Business Associates?

It is unnecessary for covered entities never to share sensitive Protected Health Information with anyone else. If you think about it, there is no way healthcare organizations like Hospitals can carry out all their business operations by themselves.

Hospitals and insurance providers often outsource several internal operations to specialized service providers. And some of these outsourced services, such as a Managed Print Service, require you to share the PHI data with them.

Business Associates are entities with whom your healthcare organization can legally share PHI data. A business associate can access, use, and disclose the PHI health data your organization provides and performs its tasks.

Business Associates Contract

Your covered entity can't pick a business associate and immediately start sharing PHI health data with them. Per HIPAA rules, your covered entity must sign a business associate contract or agreement. Furthermore, you must ensure that the agreement protects your customer's PHI adequately.

Ensure that the contract you sign contains written safeguards to protect individually identifiable health information. The contract should clearly state when and how the business associate can use or disclose PHI health data.

How Do Business Associates Use PHI-Protected Health Information?

Business associates use PHI health data for performing functions or activities that your healthcare organization can not. Healthcare organizations like hospitals can not handle tasks like bulk printing and mailing patient statements, lab reports, etc.

In such cases, covered entities outsource the service to a HIPAA-compliant Business Associate like PostGrid. HIPAA-compliant business associates like PostGrid enable your healthcare organization to streamline its internal operations without risking a costly HIPAA penalty.

It means systems like PostGrid obtain PHI health data from a covered entity such as hospitals or insurance providers. The business associate then uses the PHI data to perform a task.

A HIPAA-compliant business associate accesses, stores, and handles PHI data per HIPAA guidelines. In other words, the HIPAA-compliant business associates have security measures in place to prevent the leaking of PHI health data.

How To Use Business Associates To Streamline Your Company's Operations

Above we saw how PostGrid, as a business associate, helps companies streamline the postal mail communication of covered entities. PostGrid uses a fully automated HIPAA direct mail system for printing and delivering documents like patient collection letters, lab reports, etc.

Similarly, several other business associates and the covered entities can safely handle Protected Health Information PHI. Below are some of the other business associate services that a covered entity can employ.

  • Data storage or document storage services
  • Data transmission services
  • Communication services
  • Portals/interfaces for sharing patient details via ePHI

You can use any number of business associates to help you optimize the operations of your business organization. However, there is a risk in sharing PHI health data with one too many service providers. Hence, you must always ensure that HIPAA-compliant business associates render the services you employ.

What are Subcontractors?

Sometimes business associates may delegate their responsibilities or covered functions to someone else. It usually happens when the project requirement is too big for the business associates to handle by themselves. The entities to whom business associates delegate their covered functions to are called subcontractors.

Are Business Associates Subject To HIPAA Regulations?

Any business associate to which your covered entity provides its PHI Protected Health Information must comply with HIPAA regulations. As soon as a vendor or service provider accepts PHI data from a covered entity, they come under the definition of a business associate.

But, as the covered entity, it is your responsibility to ensure that the business associate is HIPAA compliant. There is a reason why covered entities got the name “covered” entities. The hefty fines and strict rules are primarily for covered entities.

Hence, it is crucial that your business associate securely handles the PHI health data you provide. At PostGrid, we make it a point to explain to our clients the security measures we put in place to protect PHI. Furthermore, we offer specialized direct mail services for healthcare and insurance companies.


What Are The Consequences Of PHI Health Data Leaks?

Sure, the breach of PHI health data can have consequences for the patients. But you would be wrong to think the patients are the only ones who suffer from PHI leaks. Because here, the consequences for your healthcare organization are far more devastating if a PHI leak happens.

Tiers of HIPAA Violations

The breach of PHI data is effectively a HIPAA violation. First, let's take a look at the legal consequences your organization would have to face in case of a PHI breach. HIPAA violations generally come in 4 Tiers.

Tier 1: Lack of Knowledge

The Tier 1 HIPAA violation is when your organization is unaware of the PHI health data leak and cannot avoid it. Even in this case, HIPAA compliance is a must. In other words, you need to have the necessary security measures in place to comply with HIPAA regulations.

Tier 2: Reasonable Cause

Tier 2 HIPAA violations are when your healthcare organization is likely aware of the PHI leak but has no way of avoiding it despite your security measures. Such HIPAA violations fall right below willful neglect of HIPAA regulations.

Tier 3: Willful Neglect

Your organization is in tier 3 violation if the PHI health data leak directly results from “willful neglect” of HIPAA rules. However, the PHI leak becomes a Tier 3 violation only if your organization makes an effort to correct the violation.

Tier 4: Willful Neglect (Not Corrected Within 30 Days)

If your organization compromises the PHI data due to willful negligence and does not attempt to correct it. It becomes a Tier 4 violation. It is the most severe form of HIPAA violation, and it comes with a hefty fine.

HIPAA Violation Penalty Structure

Now that you know the different tiers of HIPAA violations let's look at the penalty for PHI health data leaks. Up to Tier 3, the HIPAA violation penalty can lead to a whopping $50,000. However, covered entities need to pay a fine per violation, and the HIPAA penalty structure looks like this:

HIPAA Violation Tier Minimum Fine Per Violation
Tier 1 $100
Tier 2 $1,000
Tier 3 $10,000
Tier 4 $50,000

Imagine paying a $50,000 penalty for each PHI health data leak. Now, you can understand why we insist on ensuring the safety and security of the PHI data your organization handles.

Criminal Penalties For PHI Health Data Leaks

The criminal penalties for PHI data leaks also come in tiers. However, the level of criminal punishment is not the same as the cash penalty.  

Tier 1 criminal penalty for PHI Protected Health Information leaks is up to 1 year in jail. Tier one criminal penalties only apply if there is a reasonable cause or if the entity was unaware of the violation.

Tier 2 criminal penalties apply to any individual or organization that obtains PHI under pretenses. It can lead to a criminal sentence of up to 5 years in jail. Suppose an entity receives PHI for personal gain or malicious intent. In that case, it becomes a Tier 3 criminal penalty which comes with ten years of jail time.

Loss of Consumer Trust

The consequences of not protecting your sensitive Protected Health Information are not just limited to legal ones. In a data breach, the law requires you to notify the authorities and the patient.

And if the PHI leak is too big, you are also required to inform the press about the incident. The last thing you need is a media circus where your organization's name gets dragged through the mud. You can't hide a PHI health data leak without risking severe consequences.

Furthermore, a pHI leak or HIPAA violation can significantly affect consumer trust in your brand. In industry verticals like healthcare, losing consumer trust could have a devastating effect on your business organization.

Medical Identity Theft

One of the main reasons hackers and cyber criminals target PHI health data is medical identity theft. Hackers and cybercriminals use PHI data to steal the patient's identity to obtain funds from creditors. The worst thing about such fraud is that it is already too late when a patient or covered entity detects identity theft.

What usually happens is that the patient receives a collection letter from creditors. It is only then the patient learns about medical identity theft. Such issues can often lead your covered entity to trouble if the data breach occurred from your end or your business associates. Exploring data breach examples highlights the urgent necessity for enhanced security measures to safeguard against similar vulnerabilities.

What Are Some Examples Of Protected Health Information?

As we discussed, Protected Health Information PHI includes any health information that can reveal an individual's identity. It can contain information such as

  • Demographic Information
  • Medical History
  • Laboratory/Test Results
  • Mental Health Conditions
  • Insurance Information

According to the Code of Federal Regulations, HIPAA protection applies to virtually all health records. But, we know that you need more information than that to understand PHI clearly. So, let's look at what kind of information Protected Health Information includes and find out the information your organization needs to protect.

Individually Identifiable Health Information

When dealing with PHI health data, you may come across the term individually identifiable information. As the name suggests, individually identifiable information is any information that someone can use to identify an individual's identity.

There are several identifiers that a person or organization can use to identify, locate, or contact an individual. A piece of information becomes identifiable when the health information is put together with an identifier.

In other words, PHI health data is no longer protected data if you remove these identifiers from it. Here is a list of identifiers you can find in health records.

  • Name
  • Address
  • Dates such as birthday, admission date, etc. (excluding years)
  • Phone number
  • Email address
  • Social Security number
  • Certificate or license number
  • Full-face photographs
  • Fax number
  • Account number
  • Medical record number
  • Vehicle identifiers such as license plate number
  • Medical record number
  • Health plan beneficiary number
  • Device identifiers
  • Website URL
  • IP address
  • Biometric IDs such as fingerprints
  • Any unique identifying number/code

Permitted Uses and Disclosures Of PHI Health Data

There is no question about how crucial PHI health data is for covered entities. And we already saw the consequences you could face if you slack off on HIPAA compliance. But, even the most protected data globally have situations or requirements where the use and disclosure of data are permissible. 

The PHI Patient Health Information is no different from this. There are certain situations when your covered entity can use PHI data. You can use PHI information for the following conditions or purposes.

  • Disclosure To The Patient Or Individual.
  • Treatment, Payment, And Healthcare Operations
  • Cases Where The Patient Can Agree Or Object To PHI Sharing
  • Incidental Use And Disclosure
  • Public Interest And Benefit Activities
  • Limited Data Set

Disclosure To The Patient or Individual

A covered entity such as a hospital can directly reveal an individual's PHI health data. There is no problem in sharing the PHI information with the person who is the subject of the said information.

Treatment, Payment, and Healthcare Operations

Your covered entity can use and disclose PHI data for activities concerning treatment, payment, and healthcare operations. It means a covered entity can disclose PHI data for the treatment, payment, and healthcare operations of any healthcare provider.

The sharing of PHI data with a healthcare provider may be for quality/competency assurance activities or fraud and abuse detection. For example, when a patient transfers from one healthcare provider to another, the PHI health data is shared with the new provider.

Cases Where The Patient Can Agree or Object To PHI Sharing

The covered entity may seek informal permission from the patient to access the PHI data in certain situations. However, the patient should indicate that they can agree or object to the request.

PHI health data disclosure is usually obtained from the patient when the subject is incapacitated or in some emergencies. However, such use and disclosure of PHI data is often a matter of professional judgment and carried out in the individual's best interest.

Usually, there are two goals for such use and disclosure of PHI data, and they are:

  • For Facility Directories: Uses the patient's informal permission to list their details or PHI to the facility directory
  • For Notification and Other Purposes: The covered entity uses the patient's informal permission to disclose PHI health data to the patient's family, relatives, or friends

Incidental Use and Disclosure

Although it may sound unlikely, the incidental use and disclosure of PHI data are permissible. However, there are some prerequisites for this. First of all, the covered entity must have reasonable safeguards to protect the PHI data. Secondly, the information you share should be the “minimum necessary” information required by HIPAA privacy rules.

Public Interest and Benefit Activities

It is permissible to use sensitive Protected Health Information without an individual's authorization in the public interest. There are 12 national priority purposes for which you can disclose the PHI data without permission. Following is a list of situations that warrant the unauthorized use or disclosure of PHI health data.

  • When required by law
  • Public health activities
  • For victims of abuse, neglect, or domestic violence
  • Health oversight activities
  • Administrative and judicial proceedings
  • Law enforcement activities
  • Decedents
  • Cadaveric Organ, Eye, or Tissue Donation
  • Research purposes
  • Essential governmental functions
  • Threat to the health and safety of the public
  • Worker's compensation

Limited Data Set

The limited data set is where a covered entity can use the PHI Protected Health Information after removing specific direct identifiers from it. Research, healthcare operations, and public health purposes often require limited data sets.


Healthcare organizations, insurance providers, and other organizations that work closely with the healthcare industry often deal with PHI. The PHI Protected Health Information is perhaps one of the most protected types of information in the US.

Neglecting HIPAA protection surrounding PHI data could land you in some big trouble. Hence, all covered entities must make it a point to ensure HIPAA compliance for their business operations. It is crucial to ensure HIPAA compliance when choosing a business associate for your organization.

Tools like PostGrid offer your business safe and secure use of PHI health data while offering advanced direct mail automation capability. PostGrid enables covered entities like hospitals and insurance providers to streamline their communication.

As a result, sending vital documents like patient billing statements, collection letters, lab reports, etc., becomes more secure with PostGrid. Hence, any covered entity must use HIPAA-compliant business associates to outsource their vital business operations.

Ready to Get Started?

Start transforming and automating your offline communications with PostGrid