In 2023, OCR settled with a dental practice for $350,000 after it disclosed patient diagnoses in response to negative online reviews. The information shared — names tied to treatment details — was textbook protected health information. The practice claimed it didn't realize review responses could constitute a HIPAA violation. That misunderstanding is far more common than it should be, which is why every member of your workforce needs to understand what is PHI in healthcare and how mishandling it exposes your organization to enforcement action.

What Is PHI in Healthcare Under the HIPAA Privacy Rule?

Protected health information — PHI — is defined under the HIPAA Privacy Rule (45 CFR §160.103) as individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. It includes information that relates to a patient's past, present, or future physical or mental health condition, the provision of healthcare, or the payment for healthcare services.

The critical qualifier is "individually identifiable." Health data becomes PHI when it can be linked — directly or indirectly — to a specific person. A lab result sitting in a database without any identifying context is not PHI. That same lab result tied to a patient's name, date of birth, or medical record number absolutely is.

The 18 Identifiers That Make Health Data PHI

HHS has defined 18 specific identifiers that, when combined with health information, create PHI. Your workforce needs to recognize every one of them:

  • Names
  • Geographic data smaller than a state
  • All dates (except year) related to an individual — birth date, admission date, discharge date, date of death
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

If your organization strips all 18 identifiers following the Safe Harbor method under 45 CFR §164.514(b), the data is considered de-identified and is no longer PHI. But partial de-identification — removing a name but leaving a zip code and birth date — does not meet the standard.

Where PHI Exists in Your Organization

In my work with covered entities, I consistently find that organizations underestimate how many places PHI lives. It's not just in the EHR. PHI exists in billing records, appointment scheduling systems, insurance claims, voicemails, paper intake forms, email threads, text messages, and even sticky notes left on a monitor.

Electronic PHI (ePHI) carries additional obligations under the HIPAA Security Rule (45 CFR Part 164, Subpart C). Your organization must implement administrative, physical, and technical safeguards — including access controls, audit logs, encryption, and transmission security — to protect ePHI at rest and in transit.

Don't overlook your business associates. Any vendor that creates, receives, maintains, or transmits PHI on your behalf — cloud hosting providers, billing companies, shredding services — must have a signed Business Associate Agreement (BAA) in place. OCR has pursued enforcement actions against covered entities that failed to secure BAAs even when the business associate was the one who caused the breach.

The Minimum Necessary Standard: A Rule Most Teams Get Wrong

Understanding what is PHI in healthcare is only the first step. The Privacy Rule also imposes the minimum necessary standard (45 CFR §164.502(b)), which requires your workforce to limit PHI access and disclosure to only what is needed to accomplish the intended purpose.

This means a front desk employee scheduling a follow-up appointment does not need access to a patient's full psychiatric notes. A billing specialist does not need to see radiology images. Role-based access controls are not optional — they are a regulatory requirement that OCR evaluates during investigations.

Your organization should conduct a thorough risk analysis at least annually to identify where PHI is accessed, by whom, and whether those access levels align with the minimum necessary standard. This analysis is also a foundational requirement of the Security Rule, and failing to perform one is the single most cited deficiency in OCR enforcement actions.

PHI Breaches: What Triggers an OCR Investigation

A breach of unsecured PHI affecting 500 or more individuals must be reported to HHS, affected individuals, and prominent media outlets within 60 days under the Breach Notification Rule (45 CFR §§164.400-414). Breaches affecting fewer than 500 individuals must be logged and reported to HHS annually.

Between 2019 and 2024, OCR investigated thousands of reported breaches. The most common root causes include unauthorized access by workforce members, phishing attacks leading to email account compromises, and improper disposal of paper records containing PHI. Penalties under the HITECH Act's tiered structure range from $137 per violation for unknowing infractions up to roughly $2.1 million per violation category per year for willful neglect left uncorrected.

Many of these incidents trace back to a workforce that was never properly trained on what constitutes PHI and how to handle it. That gap is preventable.

Workforce Training Is Your First Line of PHI Protection

The Privacy Rule (45 CFR §164.530(b)) requires covered entities to train all workforce members on PHI policies and procedures. "Workforce" under HIPAA is broader than employees — it includes volunteers, trainees, contractors, and anyone under your organization's direct control.

Training cannot be a one-time onboarding checkbox. OCR expects ongoing education, especially when policies change or new threats emerge. Your Notice of Privacy Practices tells patients how you protect their PHI; your training program is what ensures your team actually follows through.

Investing in structured HIPAA training and certification gives your workforce the knowledge to identify PHI in all its forms, apply the minimum necessary standard, and respond appropriately to potential breaches. A well-trained team is the most effective safeguard your organization can implement — more effective than any firewall or encryption tool operating in isolation.

Build a Culture That Protects PHI at Every Level

Compliance isn't a project with an end date. It is an ongoing operational discipline. Every department in your organization — clinical, administrative, IT, legal, and executive leadership — must understand what PHI is, where it resides, who can access it, and what happens when it is compromised.

Start by auditing your current PHI inventory and access controls. Update your BAAs. Revisit your risk analysis. Then ensure every workforce member completes comprehensive training that reflects current OCR enforcement priorities.

If your organization is ready to close compliance gaps and equip your team with the knowledge they need, explore HIPAA Certify's workforce compliance platform to build a defensible, well-documented training program that holds up under regulatory scrutiny.