In 2023, a dental practice in New England paid $50,000 to settle an OCR investigation after a workforce member posted a patient's before-and-after photos on social media — without realizing those images qualified as HIPAA protected information. The practice had no social media policy, no documentation that staff understood what constitutes protected health information (PHI), and no meaningful training program. It's a scenario I encounter repeatedly in my work with covered entities of every size.

What Exactly Is HIPAA Protected Health Information?

Under the Privacy Rule at 45 CFR §160.103, protected health information is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or its business associate. This includes information in any form — electronic, paper, or oral.

For data to be HIPAA protected, it must meet two conditions simultaneously. First, it must relate to a person's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. Second, it must contain one or more of the 18 identifiers that can link the information to a specific individual.

Those 18 identifiers include names, dates (except year), phone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, biometric identifiers, full-face photographs, and several others. If health data includes even one of these identifiers, your organization must treat it as PHI.

Common Misconceptions That Lead to HIPAA Violations

Healthcare organizations consistently struggle with the boundaries of what's HIPAA protected and what isn't. Here are the misconceptions I see most often.

"It's not PHI if it's on paper." Wrong. The Privacy Rule covers all forms of PHI. A sticky note with a patient name and diagnosis on a nurse's desk is HIPAA protected just as much as a record in your EHR system.

"De-identified data is still PHI." Actually, once data is properly de-identified under the Safe Harbor method (all 18 identifiers removed) or the Expert Determination method outlined in 45 CFR §164.514, it is no longer HIPAA protected and falls outside the Privacy Rule's scope. But partial de-identification doesn't count — every identifier must be addressed.

"Verbal conversations aren't covered." Oral communications about a patient's health information are absolutely PHI. If a workforce member discusses a patient's condition in a public elevator, that's a potential HIPAA violation. The minimum necessary standard under 45 CFR §164.502(b) applies to disclosures in every format.

The HIPAA Protected Data Your Workforce Overlooks

Most staff understand that a medical chart is PHI. Fewer realize that the following also qualify as HIPAA protected information:

  • Appointment scheduling systems that link patient names to provider specialties
  • Billing records that include diagnosis codes alongside patient identifiers
  • Voicemails from patients describing symptoms or requesting prescription refills
  • Text messages between clinicians that reference a patient by name
  • Photographs taken during treatment — even if stored on a personal device
  • IP addresses in patient portal logs when combined with health data

Every one of these data points has been the subject of OCR enforcement actions. If your team can't identify these as PHI, your organization has a training gap that puts you at risk.

How Covered Entities Must Safeguard HIPAA Protected Information

The Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic PHI. The Privacy Rule extends protections to PHI in all forms. Here's what compliance actually looks like in practice.

Conduct a Thorough Risk Analysis

OCR has cited the absence of a comprehensive risk analysis as a deficiency in the majority of its enforcement settlements. Under 45 CFR §164.308(a)(1), your organization must identify every location where HIPAA protected data is created, received, stored, or transmitted — then evaluate threats and vulnerabilities at each point.

Implement the Minimum Necessary Standard

Your workforce should access only the PHI they need to perform their job functions. This isn't a suggestion — it's a requirement under 45 CFR §164.502(b). Role-based access controls in your EHR, policies governing verbal disclosures, and routine access audits all support compliance with this standard.

Maintain a Current Notice of Privacy Practices

Your Notice of Privacy Practices must accurately describe how your organization uses and discloses HIPAA protected information. Under 45 CFR §164.520, you must provide this notice to patients and make it available on your website. An outdated or vague notice signals broader compliance deficiencies.

Train Every Workforce Member — Not Just Clinicians

The Privacy Rule at 45 CFR §164.530(b) requires training for every member of your workforce, including front desk staff, IT personnel, volunteers, and contractors who access PHI. Annual refresher training isn't explicitly mandated, but OCR expects it, and the Omnibus Rule of 2013 reinforced that business associates carry the same obligations.

If your organization lacks a structured program, HIPAA training and certification courses can close the gap quickly and provide documentation that proves compliance during an audit or investigation.

What Happens When HIPAA Protected Data Is Breached

The Breach Notification Rule at 45 CFR §§164.400-414 requires covered entities to notify affected individuals, HHS, and in some cases the media when unsecured PHI is compromised. Breach notification must occur within 60 days of discovery. Penalties range from $100 to $50,000 per violation, with an annual maximum of approximately $2.1 million per violation category under the updated penalty tiers.

In 2024 alone, OCR's breach portal listed over 700 reported breaches affecting 500 or more individuals. The vast majority involved electronic HIPAA protected information — reinforcing that digital safeguards remain the most urgent priority for most covered entities.

Build a Culture Where HIPAA Protected Information Stays Protected

Compliance is not a one-time project. It requires ongoing risk analysis, workforce training, policy updates, and leadership commitment. Organizations that treat HIPAA as a living program — rather than a binder on a shelf — consistently fare better when OCR comes knocking.

Start by evaluating whether every person in your workforce can accurately identify what qualifies as PHI. If there's any doubt, invest in a comprehensive HIPAA compliance program that covers the Privacy Rule, Security Rule, and Breach Notification Rule in practical terms your team can actually apply.

The dental practice I mentioned at the top didn't set out to violate HIPAA. They simply never taught their staff what HIPAA protected information actually includes. That's a fixable problem — but only if you fix it before OCR does it for you.