HIPAA & Privacy

PHI (Protected Health Information)

Protected Health Information

Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form.

1 min read · Last reviewed May 23, 2026

At a glance

Category
HIPAA & Privacy
Acronym for
Protected Health Information
Primary sources
3
Workspace handoff
compliance binder

Where this comes up

Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.

Full definition

What it is in practice

Protected Health Information is any health information that can be linked to a specific person — names, dates of service, payment records, lab results, demographics — when held by a covered entity (most clinics, hospitals, and health plans) or a business associate working on its behalf. The 18 HIPAA identifiers listed at 45 CFR 164.514(b)(2) are the standard reference for what makes information identifiable.

How it shows up in your practice

Every patient chart entry, billing record, appointment list, and email mentioning a patient is PHI. The same data becomes de-identified (and falls outside HIPAA) only after the safe-harbor or expert-determination process at 45 CFR 164.514. In day-to-day operations, treat anything that names a patient — even internally — as PHI and apply the Privacy and Security Rules.

Sources

Take it into the workspace

Map where your PHI lives in the Compliance Binder data inventory

Open compliance binder
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.