In 2023, OCR settled with a dental practice for $350,000 after an investigation revealed the organization had no clear understanding of what data it was required to safeguard. Staff disclosed patient diagnoses to unauthorized third parties, not out of malice, but because no one had trained them on the boundaries. The root cause was a fundamental gap: the workforce didn't know that HIPAA protects a category of information called protected health information — or what that category actually encompasses.

What Category of Information Does HIPAA Protect?

At its core, HIPAA protects a category of information known as protected health information (PHI). PHI is defined under the Privacy Rule at 45 CFR §160.103 as individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate.

This isn't limited to medical records. PHI includes any information that relates to a patient's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare — when that information can be linked to a specific individual.

Healthcare organizations consistently struggle with the breadth of this definition. A patient's name combined with an appointment date is PHI. A billing record with a diagnosis code and insurance ID is PHI. Even a voicemail confirming a prescription refill can qualify as PHI if it identifies the patient.

The 18 Identifiers That Make Health Information "Protected"

The Privacy Rule specifies 18 types of identifiers that, when attached to health information, make it protected. These include:

  • Names
  • Dates (except year) related to an individual — birth date, admission date, discharge date, date of death
  • Telephone and fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs and IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

If your organization strips all 18 identifiers following the Safe Harbor method under 45 CFR §164.514(b), the data is considered de-identified and no longer qualifies as PHI. But partial de-identification doesn't count — every identifier must be removed or the information remains protected.

PHI Exists in Every Format Your Organization Touches

One mistake I see repeatedly is organizations treating PHI as a digital problem only. HIPAA protects a category of information regardless of its format. Under 45 CFR §160.103, PHI includes information transmitted or maintained in electronic, paper, or oral form.

That means the printed lab result left on a shared printer is PHI. The verbal conversation between a nurse and a physician in a hospital hallway — if it includes identifiable patient information — involves PHI. The faxed referral with a patient's name and diagnosis is PHI.

Your Security Rule obligations under 45 CFR Part 164, Subpart C, apply specifically to electronic PHI (ePHI), but the Privacy Rule's protections extend to all forms. Your organization's risk analysis must account for every medium through which PHI flows.

Who Bears the Obligation to Protect PHI?

HIPAA's protections don't exist in a vacuum. The law places the obligation to safeguard PHI squarely on covered entities — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically — and their business associates.

Since the Omnibus Rule of 2013, business associates are directly liable for compliance with applicable provisions of the Security Rule and parts of the Privacy Rule. If your organization shares PHI with a billing company, cloud storage provider, or IT vendor, those relationships must be governed by a business associate agreement (BAA) under 45 CFR §164.502(e).

OCR enforcement actions confirm this isn't theoretical. Business associates have faced penalties exceeding $1 million for failures to protect PHI in their custody.

The Minimum Necessary Standard Your Workforce Must Follow

Knowing what PHI is matters only if your workforce applies that knowledge daily. The minimum necessary standard at 45 CFR §164.502(b) requires that when using, disclosing, or requesting PHI, your organization limits the information to the minimum amount needed to accomplish the intended purpose.

This means a front-desk coordinator processing a copayment doesn't need access to a patient's full psychiatric history. A referral coordinator sending records to a specialist should include only information relevant to the referral. Your organization must implement policies and role-based access controls that enforce this standard.

In my work with covered entities, the minimum necessary standard is one of the most frequently violated provisions — not because organizations reject it, but because they never operationalize it in their access controls and workflows.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR §164.530(b), every member of your workforce must receive training on your organization's HIPAA policies and procedures. This isn't a one-time orientation checkbox. Training must occur for new workforce members within a reasonable period and must be updated whenever material changes affect PHI handling.

OCR has made clear through its enforcement actions that inadequate workforce training is a leading contributor to HIPAA violations. If your staff can't identify what category of information HIPAA protects, they cannot comply with the rules designed to protect it.

Investing in structured HIPAA training and certification ensures every workforce member — from clinicians to administrative staff — understands PHI, the minimum necessary standard, and their individual obligations under the Privacy and Security Rules.

Practical Steps to Protect PHI Across Your Organization

Compliance isn't achieved through awareness alone. Your organization needs documented, operational safeguards:

  • Conduct a thorough risk analysis — Identify every location and system where PHI is created, received, stored, or transmitted.
  • Implement access controls — Restrict PHI access based on job function and the minimum necessary standard.
  • Maintain an accurate Notice of Privacy Practices — Your NPP must clearly inform patients how their PHI is used and disclosed, as required by 45 CFR §164.520.
  • Execute BAAs with every business associate — No exceptions, no handshake agreements.
  • Train continuously — Annual refreshers and role-specific training are baseline expectations, not best practices.
  • Document everything — OCR investigations hinge on what you can prove, not what you intended.

If your organization hasn't revisited its compliance program recently, HIPAA Certify's workforce compliance platform provides the structure and documentation you need to demonstrate regulatory readiness.

PHI Is the Foundation — Build Your Compliance Program on It

Every provision in the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule traces back to one thing: protecting PHI. If your workforce doesn't understand that HIPAA protects a category of information that spans every format, every department, and every business associate relationship, your compliance program has a structural crack.

Close that gap now. Define PHI clearly in your policies, train every workforce member on the 18 identifiers, enforce the minimum necessary standard in your systems, and hold your business associates to the same standard OCR holds you.