PHI (Protected Health Information)
Protected Health Information
Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- HIPAA & Privacy
- Acronym for
- Protected Health Information
- Primary sources
- 3
- Workspace handoff
- compliance binder →
Where this comes up
Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.
Full definition
What it is in practice
Protected Health Information is any health information that can be linked to a specific person — names, dates of service, payment records, lab results, demographics — when held by a covered entity (most clinics, hospitals, and health plans) or a business associate working on its behalf. The 18 HIPAA identifiers listed at 45 CFR 164.514(b)(2) are the standard reference for what makes information identifiable.
How it shows up in your practice
Every patient chart entry, billing record, appointment list, and email mentioning a patient is PHI. The same data becomes de-identified (and falls outside HIPAA) only after the safe-harbor or expert-determination process at 45 CFR 164.514. In day-to-day operations, treat anything that names a patient — even internally — as PHI and apply the Privacy and Security Rules.
Sources
- 45 CFR 160.103 — Definitionshttps://www.ecfr.gov/current/title-45/section-160.103
- 45 CFR 164.502 — Uses and disclosures of PHIhttps://www.ecfr.gov/current/title-45/section-164.502
- HHS — HIPAA Privacy Rulehttps://www.hhs.gov/hipaa/for-professionals/privacy/index.html
Map where your PHI lives in the Compliance Binder data inventory
Open compliance binder →Related terms
- HIPAA & PrivacyePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- HIPAA & PrivacyHIPAA Privacy RuleThe federal regulation at 45 CFR Part 164 Subpart E that governs the use and disclosure of PHI.
- HIPAA & PrivacyMinimum Necessary RuleThe HIPAA standard requiring covered entities to limit PHI uses, disclosures, and requests to the minimum necessary to accomplish the intended purpose.
- HIPAA & PrivacyCovered EntityA health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with a HIPAA transaction.
- HIPAA & PrivacyBusiness AssociateA person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI.
- HIPAA & PrivacyDe-identificationThe process of removing identifiers from PHI such that the resulting information is not individually identifiable health information.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- GlossaryBusiness AssociateA person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI.
- GlossaryCovered EntityA health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with a HIPAA transaction.
- GlossaryDe-identificationThe process of removing identifiers from PHI such that the resulting information is not individually identifiable health information.
- GlossaryHIPAA Privacy RuleThe federal regulation at 45 CFR Part 164 Subpart E that governs the use and disclosure of PHI.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
- SRAHIPAA Patient Right of Access: A Small-Practice WalkthroughHow 45 CFR 164.524 governs patient access to their records, the 30-day rule and 30-day extension, the limited fees a practice may charge, and the OCR Right of Access Initiative.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.