OnWealth

Glossary term

Protected Health Information (PHI)

Protected health information is individually identifiable health information protected by HIPAA when held or transmitted by covered entities or business associates.

Updated

May 21, 2026

Read time

3 min read

What Is Protected Health Information?

Protected health information (PHI) is individually identifiable health information protected by HIPAA when it is created, received, maintained, or transmitted by a covered entity or business associate. It can exist in electronic, paper, or oral form.

PHI matters financially because health information is tied to insurance claims, billing, benefits, care decisions, identity risk, and employer-sponsored health plans. A privacy failure can harm patients and create legal, operational, and reputational costs for organizations.

Key Takeaways

  • PHI is individually identifiable health information protected under HIPAA.
  • It can be electronic, paper, or oral.
  • HIPAA applies to covered entities and business associates, not every app or organization that holds health-related data.
  • Electronic PHI is also subject to HIPAA Security Rule safeguards.
  • De-identified information is generally treated differently if it meets HIPAA standards.

How PHI Works

Health information becomes PHI when it identifies or can reasonably identify an individual and is handled by an organization subject to HIPAA. Examples can include diagnoses, treatment information, claims, account numbers, dates of service, medical record numbers, and billing details tied to a person.

Covered entities include many health plans, health care clearinghouses, and health care providers that conduct certain electronic transactions. Business associates are vendors or partners that create, receive, maintain, or transmit PHI for covered functions.

Financial And Insurance Context

PHI is not just clinical information. It can appear in health insurance enrollment, explanations of benefits, claims processing, flexible spending account substantiation, wellness program administration, and employer health plan operations. That is why finance, HR, benefits, and compliance teams may encounter PHI even outside a hospital setting.

When PHI is mishandled, the financial consequences can include breach notification costs, investigation expense, system remediation, regulatory penalties, contract disputes, and loss of customer trust.

What PHI Is Not

Not all health-related data is PHI. A step count in a consumer fitness app may not be PHI if the app is not acting for a HIPAA covered entity or business associate. The same type of information could become PHI in a covered clinical or plan context.

This distinction is important because people often use PHI as shorthand for all sensitive health data. HIPAA’s legal definition is narrower than the everyday privacy concern.

Example

A hospital bill with a patient’s name, diagnosis code, date of service, and insurer information is PHI when handled by a covered hospital or its billing vendor. The same diagnosis discussed anonymously in a public health article is not PHI if it cannot identify an individual and is not tied to a covered entity’s records.

Employers should be especially careful around health plan information. A company may sponsor a group health plan, but managers should not casually access claims data about employees. Plan administration requires separation, minimum-necessary practices, and appropriate controls.

PHI And Cybersecurity

Electronic PHI is a major cybersecurity concern because it combines identity data, health data, and payment information. A breach can expose medical history and financial identifiers at the same time. That is why HIPAA privacy and security controls often sit beside broader cyber insurance, vendor management, and incident response planning.

PHI controls also affect mergers, audits, and vendor contracts. A buyer or partner may need to understand whether health data was handled under HIPAA-compliant agreements and safeguards.

Individuals should also know that HIPAA rights are not the same as ownership of every medical record. The rules focus on permissible use, disclosure, access, amendment, safeguards, and accountability within covered relationships.

The Bottom Line

Protected health information is identifiable health information protected by HIPAA in covered contexts. It matters because health data connects care, insurance, billing, identity, and organizational risk.

Related Terms

Administrative Services Only

Administrative services only is a self-funded benefits arrangement where an employer pays claims and hires a third party to administer the plan.

Learn more

Advance Premium Tax Credit (APTC)

The advance premium tax credit is an estimated Marketplace subsidy paid during the year to lower monthly health insurance premiums.

Learn more

Adverse Selection Spiral

An adverse selection spiral occurs when higher-risk participants remain in an insurance pool and lower-risk participants leave, pushing costs higher.

Learn more

Affordable Care Act (ACA)

The Affordable Care Act, or ACA, is the 2010 U.S. health-care reform law that expanded coverage rules, created health-insurance marketplaces, and changed how many households access and pay for health insurance.

Learn more

Affordable Coverage (ACA)

Affordable coverage is an ACA standard used to decide whether job-based health insurance is inexpensive enough to affect Marketplace subsidy eligibility.

Learn more

Aggregate Stop-Loss Insurance

Aggregate stop-loss insurance reimburses a self-funded plan when total eligible claims exceed a stated threshold.

Learn more

Claims Denial

A claims denial is an insurer's decision not to pay a claim in whole or in part because the loss does not qualify for payment under the policy, the facts are disputed, or required claim conditions were not met.

Learn more

COBRA

COBRA is a federal continuation-coverage rule that may let workers and their families keep employer health insurance for a limited time after certain coverage-loss events.

Learn more