Protected Health Information: What You Need To Know

Protected Health Information: What You Need To Know

Protected Health Information, often referred to as PHI, is any personal information contained in a patient’s medical record and obtained during the course of medical treatment that, if disclosed, could reveal the identity of the patient. For many years healthcare providers and insurance companies freely exchanged and disclosed PHI. Unfortunately, this exchange of information often resulted in people losing or being denied health insurance due to newly onset or pre-existing conditions. However, that all changed in 1996 when Congress enacted the Health Insurance Portability and Accountability Act (HIPAA); and what originally started as a way to hold insurance companies accountable has morphed and expanded into so much more over the last couple of decades.

Today, the robustness of information protected under HIPAA as well as the consequences for disclosure often leave many healthcare providers and small businesses that operate in the wellness space overwhelmed and confused.

Part of this confusion stems from the fact that while it is widely known that PHI is regulated on a federal level, there are several states, such as California and Colorado that have additional health information requirements. In some cases, these requirements are more stringent than federal requirements. For that reason, it is important to have a solid understanding of what PHI is and your obligations to protect it.

What is Protected as PHI?

In recent years, for ease of compliance, a list of 18 identifiers commonly contained in medical records has been developed and it’s provided below:


Social security number

Device Identifiers and Serial Numbers

Address (any geographic subdivision smaller than a state, including street, county, zip code)

Medical Record Number


All Dates (birthdate, treatment dates, exact age)

Health Plan Beneficiary Number

Internet Protocol (IP) Address

Telephone Numbers

Account Number

Finger or Voice Print

Fax Numbers

Certificate or License Number

Photographic Image (not limited to face, could be unique tattoos or scars)

Email Address

Vehicle Identification Number or Serial Numbers or License Plates

Any other characteristic that could uniquely identify the individual


While this list is of frequently seen information, please note, it should not be considered all inclusive. More obviously, health information such as test results, medication lists, and diagnoses should also be treated with the utmost care.

Once you’ve concluded that your practice or business handles PHI it’s important that you take the proper precautions to prevent HIPAA violations and data breaches.

How you do this will largely depend on if you manage PHI as a Covered Entity or Business Associate.

Covered Entity vs. Business Associate

A Covered Entity, in the clearest sense, is a healthcare provider or insurance company that collects and transmits any health information in connection with the care and treatment of patients. This would include private and public practices, hospice and home health centers as well as all health plans.

As a Covered Entity you would need to abide by the following preventative guidelines:

  • All Covered Entities are required to have, and provide notice to patients of, written policies and procedures in place to ensure the highest level of patient privacy and security as well as properly defined methods for mitigating and/or resolving a breach. 
  •  Covered Entities must have a designated Privacy Officer and staff must be trained on the proper way to disclose and transmit PHI for health purposes whether verbally, in writing, or electronically.
  •  Any such PHI disclosures must be made at the minimum necessary to accomplish patient health needs and be authorized in writing by the patient, unless:
    •  Being disclosed to other providers or administers for the purpose of treatment, payment or standard healthcare practice OR
    •  The individual is given the opportunity to agree or object to disclosure in person (for example, a wife who says it’s ok that her husband remain in the room during an appointment)
  • Encryption and decryption ability in backing up, storing, and transmitting PHI as well as complete destruction procedures for PHI should be incorporated into regular entity practices.

Two methods for analyzing your business’ way of protecting health information are Expert Determination and Safe Harbor. Expert determination utilizes an expert, or an outside consultant, hired to audit your compliance with HIPAA requirements. The Safe Harbor method uses in-house employees to redact and review compliance issues and standards within the entity.

A Business Associate is an affiliated business that provides a service to a Covered Entity and in doing so comes in direct contact and works with PHI. Examples of these businesses often include outsourced auditors, consultants, and IT services.

For all Business Associates, a Business Associates Agreement (BAA) must be executed between the business and the Covered Entity. The agreement should include, at a minimum, terms of use for PHI, the duration of the authorization, and instructions for storage or destruction of the information.

The agreement should also outline mitigation strategies to ensure that, if a breach occurs, appropriate steps are taken to limit the information compromised plus notification procedures. 

Business Associates should follow the same guideline as Covered Entities regarding written data protection policies and staff training.

As a Business Associate it is important to realize that Health & Human Services (HHS) has determined that Covered Entities are not responsible for a Business Associate’s HIPAA violation, as long as an appropriate BAA is in place. So, if you do not understand your liability and obligations and take ownership of your treatment of PHI, you run the risk of a breach. The consequence of which can be steep.  For example, in 2016 Care New England, a company hired by a local hospital to provide tech support, was fined $400,000 for operating under an out of date BAA. 

In 2019, Covered Entities and Business Associates paid over $12 million in fines to The Department of Health and Human Services’ Office for Civil Rights (OCR) for HIPAA violations. 

If you are unsure of the best way to handle these issues, companies like Text IQ who can provide automation and auto-redaction services are invaluable.

How Covered Entities and Business Associates Can Prevent Violations & Data Breaches

Small and mid-sized businesses are more likely to suffer breaches and are often targeted by hackers because they have few resources to protect themselves.

Here are some preventative measures to take in order to mitigate your risk of a breach:

  • Reduce the volume of data collected to only that which is necessary for business function and minimize the locations where it is stored
  • Physical records and HIPAA data retention files should be in locked locations with restricted access.
  • Redaction, whether auto or manual, should be utilized to adequately secure or destroy information when no longer in use.
  • Specialty software or auto-redaction companies can help permanently “wipe” computer drives or cleanse emails of patient data. 
  •  Restricted computer use to business purposes and do not permit unencrypted file sharing.
  • Block access to suspicious websites and instruct employees on proper spam email procedures.
  • Password protect all computers and require re-login after a period of inactivity. 
  • Install Firewall, Anti-Virus and Spyware software on all computers that may be connected to PHI access ports.

As technology in this field advances, the ability to instantly identify and redact sensitive or privileged information is necessary. Better yet, automating the measures provided above can do a lot for peace of mind and reduction in human error. 

What Your Data Breach Response Should Entail

Following a data breach, Covered Entities and Business Associates must provide notification to affected individuals, the Department of Health and Human Services, and in some cases the media. All notices must be provided without reasonable delay and in most cases no later than 60 days after becoming aware of a breach. HHS provides full guidelines for notice requirements.

Failure to follow proper notice procedures can be costly. Sentara Hospital was not only fined over $2.1 million dollars for failure to notify, but they were also required to provide regular monitoring reports to OCR for two years. 

How Can Artificial Intelligence Help?

While HIPAA regulations can seem daunting, there have been many advances in technology that can aid in complying with HIPAA data retention and privacy regulations. Most notably, artificial intelligence (AI) can make the PHI redaction, or HIPAA redaction, process much more efficiently than manual methods or the other automation tools on the market that rely on search terms. 

In the unfortunate event that a HIPAA data breach does occur, AI can assist through data breach automation as well. An AI-powered data breach response provides the ability to comply with HIPAA regulations quickly and with precision and accuracy, while eliminating the majority of the manual effort.

For more information, please reach out to Text IQ