Protected Health Information (PHI)

What is PHI?

Protected Health Information (PHI) is any identifying material that relates to an individual’s past, present or future health. This can include medical history, diagnoses, lab results, medication lists, and more.

The General HIPAA Provisions (§160.103) define PHI as “individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.” One important distinction is that non-medical individually identifiable information (like a license plate number) can be considered PHI if it is kept in the same designated record set as identifying medical information.

While this information is vital to determining care, it is illegal to obtain or divulge by or to entities without the patient’s express permission. The HIPAA Privacy Rule is a set of federal standards explicitly prohibiting PHI use or disclosure by “covered entities” and “business associates” without the individual’s authorization.


While similar in nature, there is a distinction between Protected Health Information (PHI), Personally Identifiable Information (PII), and Individually Identifiable Health Information (IIHI).

  • PHI: Information that could identify someone in a medical context. PHI is always protected under HIPAA.
  • PII: Any information – medical or non-medical – that can be used to identify a person. This data can be sensitive or non-sensitive and is protected in some, but not all, cases.
  • IHII: Medical information that could be used to identify a person, although not necessarily sensitive. It is the medical equivalent of PII.

However, the more general IHII can become PHI if it is transmitted or stored in any way, physical or digital.

The HIPAA Privacy Rule Protects PHI

The HIPAA Privacy Rule was issued by the US Department of Health and Human Services (HHS) to carry out the requirements of the Health Insurance Portability and Accountability Act (HIPAA). It not only specifies the “covered entities” to which PHI protection regulations apply but also sets forth standards by which individuals can exercise their rights to authorize the control and use of their information.

The burden of the Privacy Rule is to balance both the necessary flow of health information (promoting public well-being and quality healthcare) with personal patient privacy. Cases in which PHI can be used without the patient’s consent include treatment and payment, research (in a limited dataset), when needed by law enforcement, or to lessen the risk of a serious threat to health or safety, among other reasons.

In all other cases not otherwise specified, the use and attainment of PHI is expressly prohibited without authorization by the data’s owner.

The HIPAA Security Rule Protects ePHI

PHI can consist of information communicated orally, in handwritten form, or electronically. By contrast, electronic Protected Health Information (ePHI) includes all PHI created, received, maintained, or transmitted electronically only.

Under the HIPAA Security Rule, all covered entities are required to:

  • Detect, prevent, and remediate all ePHI threats.
  • Ensure the confidentiality, integrity, and availability of all ePHI.
  • Certify compliance by their workforce.

PHI Cybersecurity

Threat actors value PHI in all its forms for its sensitive and highly protected nature. They can use the data to impersonate patients and perform acts of identity theft, steal prescriptions, or simply hold the information for ransom until the healthcare provider makes the difficult choice of paying out or facing compliance fines, reputational damage, and patient endangerment.

An effective cybersecurity strategy is required to secure PHI from malicious threat actors, patients from data abuse, and covered entities along the healthcare supply chain from the consequences of PHI loss.

For more essential cybersecurity definitions, check out our other blogs below:  

21 Essential Cybersecurity Terms You Should Know

40+ Cybersecurity Acronyms & Definitions

Return to Cybersecurity Glossary

Protected Health Information (PHI)
Scroll to top