In February 2024, a dental practice in New England received a $50,000 penalty from the HHS Office for Civil Rights after an employee texted patient appointment details — including diagnoses — to a personal phone. The practice argued the information was "just scheduling data." OCR disagreed. The case is a textbook example of what happens when organizations misunderstand what qualifies as protected health information under HIPAA.

This confusion isn't rare. In my work with covered entities, I've found that workforce members routinely underestimate the scope of PHI. They assume it means medical records and lab results. The reality is far broader — and the compliance consequences of getting it wrong are severe.

What Qualifies as Protected Health Information Under HIPAA

The HIPAA Privacy Rule at 45 CFR §160.103 defines protected health information as individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. The information must relate to a person's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare.

The critical phrase is "individually identifiable." A dataset showing that 200 patients received flu shots last October is not PHI. But the moment you can link that data to a specific person — through a name, date of birth, medical record number, or any other identifier — it becomes protected health information under HIPAA and triggers your full compliance obligations.

The 18 Identifiers That Make Health Information "Individually Identifiable"

The Privacy Rule identifies 18 specific data elements that, when combined with health information, create PHI. Your workforce needs to recognize every one of them:

  • Names
  • Geographic data smaller than a state
  • All dates (except year) related to an individual — birth date, admission date, discharge date, date of death
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

Notice how expansive that last category is. OCR has used it to classify patient portal login IDs, appointment confirmation numbers, and even custom billing codes as identifiers. If it can be used to identify an individual, treat it as PHI.

Where PHI Lives That Organizations Overlook

Healthcare organizations consistently struggle with PHI that exists outside the EHR. Yes, your electronic health record contains PHI. But so do these commonly overlooked locations:

  • Voicemail systems — appointment reminders that include diagnosis or treatment details
  • Scheduling software — patient names tied to provider specialties reveal health conditions
  • Email inboxes — forwarded referral notes, insurance correspondence, patient inquiries
  • Paper sign-in sheets — if they capture the reason for visit alongside patient names
  • Billing platforms — CPT and ICD-10 codes tied to patient identifiers
  • Text messages and chat apps — the source of an increasing number of HIPAA violations reported to OCR

Your risk analysis under the Security Rule (45 CFR §164.308(a)(1)) must account for every system and medium where PHI is stored, processed, or transmitted. If a platform touches PHI, it requires administrative, technical, and physical safeguards.

The Minimum Necessary Standard: PHI Access That Goes Too Far

Even when your organization correctly identifies PHI, the Privacy Rule's minimum necessary standard at 45 CFR §164.502(b) imposes an additional obligation. Workforce members should access, use, or disclose only the minimum amount of protected health information needed to accomplish the task at hand.

OCR's enforcement actions show this standard has teeth. A hospital that gives every employee unrestricted EHR access — from surgeons to janitorial staff — violates the minimum necessary standard regardless of whether anyone actually snoops. The violation is in the access configuration itself.

Practical steps to comply: implement role-based access controls, audit access logs quarterly, and restrict database queries to the fields required for each job function.

Business Associate Obligations for PHI

If your organization shares PHI with a business associate — a billing company, IT vendor, cloud storage provider, or shredding service — you must execute a business associate agreement (BAA) under 45 CFR §164.502(e). The BAA must specify permitted uses and disclosures, require the associate to implement Security Rule safeguards, and mandate breach reporting.

A signed BAA is not optional. In 2023, OCR settled multiple cases where covered entities failed to execute BAAs before transmitting PHI to vendors. Penalties in these cases ranged from $50,000 to over $1.5 million. Your vendor management process should treat the BAA as a prerequisite — not a follow-up task.

The Workforce Training Requirement Most Organizations Underestimate

The Privacy Rule at 45 CFR §164.530(b) requires that every workforce member — employees, volunteers, trainees, contractors — receive training on PHI policies and procedures. "We sent a PDF" does not meet this standard. OCR expects documented, role-specific training with evidence of completion.

Training must cover what constitutes PHI, how to handle it according to the minimum necessary standard, and the procedures in your organization's Notice of Privacy Practices. It should be delivered at onboarding and refreshed whenever material changes occur.

If your organization lacks a structured program, explore HIPAA training and certification options that provide documented proof of workforce education — exactly what OCR asks for during investigations.

Breach Notification: When PHI Protections Fail

When protected health information is impermissibly accessed, used, or disclosed, the Breach Notification Rule at 45 CFR §§164.400-414 requires your covered entity to notify affected individuals, HHS, and — for breaches affecting 500 or more individuals — prominent media outlets. Notifications must occur within 60 days of discovering the breach.

OCR's breach portal shows that in 2023 alone, over 700 breaches affecting 500 or more individuals were reported. Many involved PHI in locations the organization hadn't secured — unencrypted email, legacy systems, and third-party apps without BAAs.

Every one of those breaches started with a failure to properly identify, classify, or safeguard PHI. The breach notification burden becomes the symptom. The root cause is almost always an incomplete understanding of what protected health information under HIPAA actually encompasses.

Build a Culture That Recognizes PHI at Every Touchpoint

Protecting PHI is not a one-time checklist. It requires an ongoing culture of awareness across your entire workforce — from the front desk to the C-suite. Conduct regular risk analyses, audit your BAAs annually, restrict access to the minimum necessary, and train every person who touches patient data.

If you're looking to build that culture from the ground up, HIPAA Certify's workforce compliance platform provides the tools and training documentation your organization needs to demonstrate compliance when OCR comes calling.

PHI is broader than most people think. Treat every data point that could identify a patient as protected — because under HIPAA, it almost certainly is.