In 2023, OCR settled with a dental practice for $350,000 after an investigation revealed the organization had disclosed patient records to a third-party marketing firm without authorization. The root cause? Staff members didn't fully understand what qualified as protected health information — or that sharing it without safeguards violated federal law. If your workforce can't answer the question PHI is an acronym for Protected Health Information and explain what that means in practice, your organization is exposed to exactly this kind of enforcement action.
PHI Is an Acronym For Protected Health Information — Here's Why That Matters
Under the HIPAA Privacy Rule (45 CFR §160.103), PHI is an acronym for Protected Health Information — individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. This isn't limited to medical records. It encompasses any data that connects a person's identity to their health condition, treatment, or payment history.
PHI exists in every format: paper charts in a filing cabinet, electronic records in your EHR, verbal conversations at the nurses' station, even faxed referral forms. If the information identifies — or could reasonably identify — a specific individual and relates to their past, present, or future health or healthcare payment, it's PHI. Full stop.
The 18 Identifiers That Make Health Information "Protected"
Healthcare organizations consistently struggle with recognizing just how broad PHI actually is. HHS defines 18 specific identifiers that, when linked to health data, create protected health information. These include:
- Names
- Dates (birth, admission, discharge, death)
- Phone and fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Device identifiers and serial numbers
- Web URLs and IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs and comparable images
- Any other unique identifying number or code
Remove all 18 identifiers following the Safe Harbor method under 45 CFR §164.514(b), and the data becomes de-identified — no longer subject to HIPAA restrictions. But if even one identifier remains tied to health data, your organization must treat it as PHI and apply all Privacy Rule and Security Rule protections.
How the Privacy Rule Governs PHI Disclosure
The HIPAA Privacy Rule doesn't prohibit all sharing of protected health information. It establishes strict conditions under which PHI can be used or disclosed. Covered entities may share PHI for treatment, payment, and healthcare operations without individual authorization. Disclosures for marketing, most research, and sale of PHI require written patient authorization.
One of the most underenforced provisions is the minimum necessary standard (45 CFR §164.502(b)). Your organization must limit PHI access and disclosure to only the information reasonably necessary to accomplish the intended purpose. In my work with covered entities, I've seen this requirement violated routinely — entire medical records sent when a single lab result was requested, or broad role-based access granted in EHR systems with no auditing.
Your Notice of Privacy Practices must clearly inform patients how their PHI will be used. If your notice is outdated or generic, you're not meeting the Privacy Rule's requirements — and OCR will flag it during an investigation.
Electronic PHI and the Security Rule's Non-Negotiable Safeguards
When PHI exists in electronic form — known as ePHI — the HIPAA Security Rule (45 CFR Part 164, Subparts A and C) imposes additional requirements. Every covered entity and business associate must implement administrative, physical, and technical safeguards to protect ePHI against unauthorized access, alteration, or destruction.
This starts with a thorough risk analysis. Under 45 CFR §164.308(a)(1), your organization must conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI. OCR has cited failure to perform a risk analysis as a contributing factor in the majority of enforcement actions and settlements. It's the single most common deficiency.
Technical safeguards include access controls, audit logs, encryption, and transmission security. Physical safeguards address workstation security and facility access. Administrative safeguards cover workforce training, contingency planning, and security management processes. None of these are optional.
The Workforce Training Requirement Most Organizations Underestimate
Under 45 CFR §164.530(b), covered entities must train all workforce members on PHI policies and procedures. Under the Security Rule, 45 CFR §164.308(a)(5) requires security awareness and training. "Workforce" doesn't mean just employees — it includes volunteers, trainees, contractors, and anyone under your organization's direct control.
OCR enforcement actions reveal a pattern: organizations that suffer breaches often cannot produce evidence that workforce members received HIPAA training. A HIPAA violation stemming from an untrained employee can trigger penalties ranging from $100 to $50,000 per violation under the penalty tiers established in the HITECH Act, with annual maximums reaching $1.5 million per violation category.
If your training program consists of a single onboarding video with no updates, you're falling short. Effective HIPAA training and certification programs cover PHI handling, breach identification, patient rights, and the specific policies your organization has adopted. Training must be repeated when material changes occur and documented thoroughly.
Business Associates and the Chain of PHI Responsibility
Since the Omnibus Rule of 2013, business associates are directly liable for HIPAA compliance. Any vendor, contractor, or service provider that creates, receives, maintains, or transmits PHI on behalf of your covered entity must sign a Business Associate Agreement (BAA) and comply with applicable Privacy and Security Rule provisions.
Cloud storage providers, billing companies, IT managed service providers, shredding companies — all qualify as business associates if they handle PHI. Your organization is responsible for ensuring BAAs are in place and that you're not sharing protected health information with entities that lack proper safeguards.
Take Action Before OCR Takes Notice
Understanding that PHI is an acronym for Protected Health Information is the baseline — not the finish line. Your organization needs documented policies, current risk analyses, proper BAAs, and a workforce that can identify and safeguard PHI in every form it takes.
Start by evaluating your current compliance posture through HIPAA Certify's workforce compliance platform. Ensure every team member — from front desk staff to IT administrators — understands what PHI is, where it lives in your operations, and exactly what HIPAA requires them to do with it. OCR doesn't accept ignorance as a defense, and neither should your compliance program.