What is Protected Health Information (PHI)?

As more software and services become available for storing medical records, it becomes more pertinent that developers, IT admins, and end users become more aware of what kind of data is traveling through and into their systems.

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, mandates safeguards if the data contains “Protected Health Information,” or PHI. But what is considered PHI? Basically (and perhaps over-simplistically), it’s anything that can be used to identify the person.

The following are generally considered PHI if used in a medical context. This list is by no means complete.

Examples of Protected Health Information

  • Medical or dental records
  • Patient billing records
  • Images of patients’ full faces
  • Radiographs
  • Biometric data:
    • Fingerprints
    • Voice prints
  • Patient demographics:
    • Names and initials
    • Genders
    • Social Security Numbers (SSN)
    • Geographic region if smaller than a state, such as:
      • Address
      • City
      • County
      • ZIP code
  • Medical or dental record numbers
  • Account numbers
  • E-mail addresses
  • Telephone and fax numbers
  • IP addresses
  • URL addresses
  • Device MAC addresses
  • License plates and other vehicle identifier numbers
  • Account numbers
  • Certificate / license numbers

It’s worth stressing again that this is not a definitive list.

If your database or service contains any of these attributes, it’s best to limit their use, transmission, and store them as securely as possible.

More information, straight from the source, can be found at:
https://www.hhs.gov/hipaa/for-professionals/index.html