Protected Health Information (PHI) is any patient-identifiable clinical and nonclinical data that is generated during a medical encounter and entered into a medical record or other designated record set.

PHI includes data in any format that can tie a patient’s medical information to their personal identity. This includes any clinical documents, test results, billing records, insurance records, and other health records that contain a patient’s personally-identifiable information, such as their name, date of birth, and home address.

There are limited scenarios in which PHI created or maintained by a medical practice can be disclosed without patient authorization. These primarily include scenarios where PHI is needed for medical treatment, payment, or operations (TPO), which are defined by the U.S. Department of Health and Human Services here. In all scenarios, it is important that medical practices disclose only the minimum necessary information needed.

The primary healthcare privacy law in the United States is the Health Insurance Portability and Accountability Act. The law establishes which entities, such as healthcare providers and health insurers, are required to comply with HIPAA, known as “covered entities.” Covered entities have a legal duty to protect patient privacy and comply with all provisions of HIPAA. This legal duty can extend to covered entities’ business partners, vendors, and associates — a relationship which is governed by the covered entity and business partner entering into a Business Associate Agreement.

HIPAA and Disclosing Information

What is Protected Health Information (PHI)?

What Are Some Examples of PHI?

When Can PHI be Disclosed?

What Laws Govern PHI Disclosure?