In 2023, OCR settled with a dental practice for $350,000 after an investigation revealed the organization had been disclosing patient records to a marketing vendor without a business associate agreement — because the practice believed the data wasn't really PHI data. They thought that because names were removed, the information was safe to share. They were wrong. The records still contained dates of service, ZIP codes, and account numbers — three of the 18 identifiers that make health information protected under HIPAA.

This is the single most dangerous misunderstanding I encounter in my work with covered entities: the belief that PHI is limited to names and diagnoses. It's not. And getting this wrong exposes your organization to enforcement actions, civil penalties, and mandatory corrective action plans.

What Qualifies as PHI Data Under the HIPAA Privacy Rule

The Privacy Rule at 45 CFR §160.103 defines protected health information as individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. Two conditions must both be met: the information relates to a person's health condition, treatment, or payment — and it contains identifiers that could link it to a specific individual.

OCR has consistently reinforced that PHI data includes information in any form — electronic, paper, or oral. A voicemail from a specialist mentioning a patient's diagnosis is PHI. A printed lab result sitting on a desk is PHI. A spreadsheet of patient account numbers tied to procedure codes is PHI.

The 18 HIPAA Identifiers You Must Know

The Privacy Rule specifies 18 types of identifiers that, when combined with health information, create PHI data. Your workforce needs to recognize every one of them:

  • Names
  • Geographic data smaller than a state (street address, city, ZIP code)
  • All dates directly related to an individual (birth date, admission date, discharge date, date of death)
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

Remove all 18 and follow the de-identification standards in 45 CFR §164.514, and the data is no longer PHI. Leave even one in place, and every HIPAA obligation applies in full.

Where Organizations Mishandle PHI Data Most Often

Healthcare organizations consistently struggle with PHI in contexts they don't think of as clinical. Billing spreadsheets, scheduling systems, employee wellness programs, and research databases all routinely contain PHI data that triggers Privacy Rule and Security Rule requirements.

Three scenarios generate the most OCR complaints and breach reports:

1. Improper disclosures to vendors. Sharing patient data with IT contractors, billing companies, or cloud storage providers without a signed business associate agreement violates 45 CFR §164.502(e). Every vendor that touches PHI must be under a BAA — no exceptions.

2. Failure to apply the minimum necessary standard. Under 45 CFR §164.502(b), your organization must limit PHI disclosures to only the information necessary for the purpose. Sending a full patient record when a payer only needs a procedure code is a violation most organizations commit daily without realizing it.

3. Unsecured PHI on personal devices. Workforce members accessing patient data on personal phones, tablets, or laptops without encryption create breach exposure that falls squarely under the Security Rule's technical safeguard requirements at 45 CFR §164.312.

The PHI Data Risk Analysis Your Organization Can't Skip

The Security Rule requires every covered entity and business associate to conduct a thorough risk analysis under 45 CFR §164.308(a)(1). This isn't optional, and it isn't a one-time exercise. OCR has cited failure to perform an adequate risk analysis as the single most common finding in enforcement actions — appearing in the majority of settlements since the Omnibus Rule took effect in 2013.

Your risk analysis must identify everywhere PHI data lives in your organization: EHR systems, email servers, cloud platforms, paper files, backup tapes, mobile devices, and even fax machines. If you don't know where your PHI is, you cannot protect it.

Map every system, every workflow, every vendor relationship. Then assess the threats and vulnerabilities specific to each. Document everything. OCR expects written evidence — not verbal assurances — that your organization takes this requirement seriously.

Workforce Training Is Your First Line of PHI Defense

Under 45 CFR §164.530(b), covered entities must train every workforce member on HIPAA policies and procedures relevant to their role. This includes contractors, volunteers, and trainees — not just full-time employees. And the training must be documented.

In practice, the organizations that suffer the most damaging breaches are those that treat HIPAA training as a checkbox exercise. A receptionist who doesn't understand that a patient's ZIP code combined with a diagnosis is PHI data will share it freely. A billing clerk who hasn't been trained on the minimum necessary standard will send complete records to every payer.

Investing in comprehensive HIPAA training and certification for your entire workforce closes these gaps before they become breach reports. Effective training covers the 18 identifiers, proper disclosure procedures, device security, and how to recognize and report potential violations.

Building a PHI Data Protection Strategy That Holds Up to OCR Scrutiny

Compliance isn't a single policy — it's a system. Your organization needs layered controls that address PHI data across its entire lifecycle:

  • Administrative safeguards: Written policies, a designated privacy officer, documented risk analyses, workforce sanctions for violations.
  • Physical safeguards: Locked file rooms, workstation use policies, secure disposal of paper records and electronic media.
  • Technical safeguards: Encryption at rest and in transit, access controls, audit logs, automatic logoff, and authentication mechanisms.

Your Notice of Privacy Practices must accurately describe how your organization uses and discloses PHI. If your practices have changed — especially after adopting new technology or onboarding new business associates — update the notice and redistribute it.

Every element must be documented, tested, and updated. OCR does not accept good intentions. They accept evidence.

Take the Next Step Before OCR Does

PHI data obligations affect every department, every role, and every system in your organization. The covered entities that avoid penalties are the ones that build compliance into daily operations — not the ones that react after a breach.

Start by ensuring your workforce understands what PHI is and how to handle it. Platforms like HIPAA Certify make it straightforward to deploy role-based training, track completion, and maintain the documentation OCR expects. The cost of compliance is always lower than the cost of a corrective action plan.