What is PHI and Why Is It Protected Under HIPAA?

Do you know what PHI is and why its protection is so important?

You may be familiar with the term “PHI,” but do you know what it stands for and why it’s the hub of HIPAA compliance?

PHI is simply “protected health information,” therefore requires diligence under HIPAA’s Privacy Rule.  The Privacy Rule protects a subset of individually identifiable health information, which we know as PHI, that is held or maintained by covered entities or their business associates acting for the covered entity.

Some examples of PHI include:

  • Billing information from your doctor
  • Email to your doctor’s office about a medication or prescription you need
  • Appointment scheduling note with your doctor’s office
  • An MRI scan
  • Blood test results
  • Phone records

PHI should not be confused with consumer health information, which is exclusive to devices like fitness trackers or health data trackers, but are not transmitted between doctor and patient.  A wearable device or application that collects health information, but does not plan on sharing it with a covered entity at any point in time does not need to be HIPAA compliant.  The exception to this rule is any device that tracks blood sugar or sleep patterns and is accessed by an app to share with a doctor.  This is covered under HIPAA.

Covered entities that collect PHI must adhere to HIPAA rules.

Examples of covered entities include:

  • Doctor offices, dental offices, clinics, psychologists
  • Nursing home, pharmacy, hospital or home healthcare agency
  • Health plans, insurance companies, HMOs
  • Government programs that pay for healthcare
  • Health clearinghouses

HIPAA’s privacy rule does not include medical record retention requirements, choosing instead to defer to state laws to generally govern how long medical records are to be retained.  However, the rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other PHI for whatever period that such information is maintained by a covered entity, including through disposal.

Secure paper shredding and hard drive destruction under the confines of HIPAA is the best and most effective way to destroy PHI when it is no longer relevant.  More than 40 Federal laws mandate that all business, healthcare, and financial institutions protect the confidential information of their clientele.

How do you protect your patients’ PHI?

Related Articles:


Service Areas: Florida Shredding; Orlando Shredding; Tampa Shredding; Naples Shredding; New York Shredding; Westchester Shredding; Long Island Shredding and more!