In 2023, OCR settled with a dental practice for $350,000 after an investigation revealed the organization had disclosed patient health information PHI to a third-party marketing firm without obtaining valid authorization. The practice's compliance officer believed the data had been "de-identified" — but it still contained ZIP codes, dates of service, and diagnosis codes. That misunderstanding cost them six figures and a corrective action plan lasting two years.
This case illustrates something I see repeatedly in my work with covered entities: organizations that handle PHI every day still struggle to define what it actually includes, where its boundaries are, and what protections HIPAA demands.
What Qualifies as Patient Health Information PHI Under HIPAA
The HIPAA Privacy Rule at 45 CFR §160.103 defines protected health information as individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. To qualify as PHI, the data must meet two conditions simultaneously: it relates to an individual's health condition, treatment, or payment for healthcare — and it identifies or could reasonably be used to identify that individual.
The 18 identifiers specified in the Privacy Rule are where most confusion begins. These include obvious items like names, Social Security numbers, and medical record numbers. But they also include less intuitive data points: dates directly related to an individual (birth date, admission date, discharge date), geographic data smaller than a state, device identifiers, and even full-face photographs.
A lab result on its own may not be PHI. A lab result attached to a patient's date of birth and account number absolutely is. Context determines classification, and your workforce needs to understand that distinction.
The Formats Most Organizations Overlook
PHI isn't limited to electronic health records. Under HIPAA, patient health information PHI exists in every format: paper charts in storage rooms, verbal communications between providers, voicemails left for patients, text messages sent between clinicians, and faxes routed to shared machines.
OCR enforcement actions consistently reveal that organizations invest heavily in securing their EHR systems while leaving paper records in unlocked filing cabinets or discussing patient details in open waiting areas. The Privacy Rule does not distinguish between formats — if it's individually identifiable health information, it's PHI regardless of medium.
Your organization's risk analysis must account for PHI in all forms, including data at rest, data in transit, and data communicated verbally. If your security risk assessment only covers electronic PHI, you have a significant compliance gap.
PHI vs. De-Identified Data: Where the Line Falls
HIPAA provides two methods for de-identification under 45 CFR §164.514. The Safe Harbor method requires removal of all 18 identifiers and confirmation that the remaining information cannot be used to identify an individual. The Expert Determination method requires a qualified statistical expert to certify that the risk of identification is very small.
Healthcare organizations consistently underestimate how difficult true de-identification is. Removing a patient's name but retaining their ZIP code, date of service, and diagnosis code often leaves enough data to re-identify the individual — especially in small populations or rural areas. If your organization shares data for research, analytics, or marketing purposes, every dataset must be evaluated against these de-identification standards.
The Minimum Necessary Standard Your Workforce Must Follow
Even when a use or disclosure of PHI is permitted under the Privacy Rule, the minimum necessary standard at 45 CFR §164.502(b) requires your organization to limit access to only the PHI reasonably needed for the specific purpose. This applies to internal access, disclosures to business associates, and responses to third-party requests.
In practice, this means your billing department should not have routine access to psychotherapy notes. Your front desk staff should not be able to view the full medical records of every patient in the system. Role-based access controls are not optional — they are a direct requirement of this standard.
Workforce members who access PHI outside the scope of their job function create liability for your covered entity. Implementing the minimum necessary standard requires both technical controls and ongoing HIPAA training and certification for every member of your team.
Business Associate Obligations for Protecting PHI
Your organization's responsibility for patient health information PHI extends beyond your own walls. Under the Omnibus Rule, any business associate that creates, receives, maintains, or transmits PHI on your behalf must comply with applicable provisions of the Privacy and Security Rules. This includes cloud storage vendors, billing companies, IT service providers, shredding services, and even certain consultants.
A valid business associate agreement must be in place before any PHI is shared. That agreement must specify permitted uses and disclosures, require the business associate to implement appropriate safeguards, and mandate breach notification. If your business associate experiences a breach, your organization shares the regulatory exposure.
OCR has imposed penalties on covered entities for failing to execute BAAs — even when the business associate handled the data appropriately. The absence of the agreement itself is the violation.
Breach Notification: What Happens When PHI Is Compromised
The Breach Notification Rule at 45 CFR §§164.400-414 requires covered entities to notify affected individuals, HHS, and in some cases the media when unsecured PHI is compromised. For breaches affecting 500 or more individuals, notification to HHS and prominent media outlets must occur within 60 days. Smaller breaches must be logged and reported to HHS annually.
Every impermissible use or disclosure of PHI is presumed to be a breach unless your organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI was actually compromised. Documenting that analysis is critical — OCR will ask for it during an investigation.
Building a Culture That Protects Patient Health Information PHI
Compliance is not a one-time project. It requires continuous workforce education, regular risk assessments, updated policies, and leadership commitment. Every staff member — from physicians to volunteers to contractors — must understand what PHI is, how to handle it, and what to do when something goes wrong.
The Notice of Privacy Practices you provide to patients is a promise. Your internal practices must match that promise. If you're looking to strengthen your organization's compliance posture, start with a comprehensive program through HIPAA Certify's workforce compliance platform.
PHI protection isn't just about avoiding penalties. It's about earning and maintaining the trust patients place in your organization every time they walk through the door.