Protected Health Information (PHI) Security

Protected health information security encompasses the technical, administrative, and physical controls required to safeguard individually identifiable health data under federal law. The governing framework — established primarily by the Health Insurance Portability and Accountability Act of 1996 and its subsequent regulations — applies across hospitals, insurers, clearinghouses, and a broad range of business associates. Failures in PHI protection carry civil and criminal liability, with penalty tiers reaching $1.9 million per violation category per year (HHS Office for Civil Rights, HIPAA Penalty Structure).

Definition and scope

PHI is defined by the HIPAA Privacy Rule (45 CFR §164.501) as individually identifiable health information transmitted or maintained in any form — electronic, paper, or oral — by a covered entity or its business associates. The definition covers 18 specific identifiers enumerated by the U.S. Department of Health and Human Services, including names, geographic data smaller than a state, dates other than year (for individuals over 89), phone numbers, email addresses, Social Security numbers, medical record numbers, account numbers, biometric identifiers, and full-face photographs.

Electronic PHI (ePHI) is the subset governed specifically by the HIPAA Security Rule (45 CFR §§164.302–318), which applies exclusively to data in electronic form. The distinction between PHI and ePHI determines which technical safeguard provisions apply. Paper records fall under the Privacy Rule's physical and administrative safeguard requirements but are not subject to the Security Rule's encryption and audit control specifications.

PHI differs structurally from broader categories of personally identifiable information protection because the nexus to a health condition, treatment, or payment for care is a required element — not all personal data qualifies. This boundary also separates PHI from financial data security standards, even when financial identifiers appear in the same record.

How it works

HIPAA compliance for PHI security operates through three mandatory safeguard categories, each with required and addressable implementation specifications:

1. Administrative safeguards — Policies and procedures governing the workforce. Required elements include a security management process, assigned security responsibility, workforce training, and contingency planning. The security management process must include a documented data security risk assessment conducted at defined intervals.

2. Physical safeguards — Controls over physical access to systems housing ePHI. These cover facility access controls, workstation use policies, workstation security, and device and media controls including data retention and disposal policies for hardware taken out of service.

3. Technical safeguards — Mechanisms controlling access to ePHI in electronic systems. Required specifications include unique user identification and automatic logoff. Addressable specifications — which require documented justification if not implemented — include encryption and decryption, audit controls, integrity controls, and transmission security.

The NIST Cybersecurity Framework, published by the National Institute of Standards and Technology (NIST SP 800-66 Rev. 2), provides implementation guidance for HIPAA technical requirements, mapping Security Rule specifications to identifiable control families. NIST SP 800-66 Rev. 2 was published in 2023 and replaced the 2008 original revision.

Data encryption standards applied to ePHI typically reference AES-256 for data at rest and TLS 1.2 or higher for data in transit, consistent with NIST Special Publication 800-111 and 800-52 respectively. Encryption renders breached ePHI "unsecured" under the Breach Notification Rule only if the decryption key is not also compromised.

Common scenarios

PHI security requirements activate across a predictable set of operational contexts:

• Cloud storage and SaaS platforms: A covered entity storing ePHI in a cloud environment must execute a Business Associate Agreement (BAA) with the cloud provider. Cloud data security controls must satisfy the same Security Rule specifications as on-premises infrastructure.

• Ransomware incidents: HHS Office for Civil Rights has confirmed that ransomware encryption of ePHI constitutes a presumed breach under the Breach Notification Rule (45 CFR §§164.400–414) unless the covered entity can demonstrate a low probability that PHI was compromised through a four-factor risk assessment. Ransomware data protection strategies — including immutable backups and network segmentation — are standard mitigations.

• Third-party vendor access: A business associate accessing, transmitting, or storing PHI on behalf of a covered entity bears direct HIPAA liability under the HITECH Act of 2009. Third-party data security risks extend liability to subcontractors in the chain.

De-identification for research: Data that satisfies either the Expert Determination method or the Safe Harbor method under 45 CFR §164.514(b) ceases to be PHI and falls outside HIPAA's scope. Deidentification and anonymization practices must follow the HHS-specified 18-identifier removal criteria for Safe Harbor compliance.

• Breach notification: Covered entities must notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500 or more individuals in a state require simultaneous notification to HHS and prominent media outlets in that state (HHS Breach Notification Rule, 45 CFR §164.406).

Decision boundaries

PHI security obligations depend on entity classification. Covered entities — health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically — bear direct HIPAA obligations. Business associates acquire obligations through contractual agreement and statutory extension under HITECH.

The critical threshold distinguishing PHI from non-PHI is the identifiability requirement: health information held by an employer in its capacity as an employer (not as a plan sponsor) is not PHI. Similarly, educational records governed by FERPA and employment records held by covered entities in their employer role are excluded under 45 CFR §164.501.

Data access controls for PHI must implement role-based minimum necessary access — a standard that differs from the broader least-privilege principle in that it is functionally defined by care roles rather than by system permission hierarchies. The Privacy Rule's minimum necessary standard applies to all PHI disclosures, while the Security Rule applies exclusively to ePHI.

Comparing the Security Rule's addressable vs. required specification framework to absolute mandates under PCI DSS illustrates a structural difference: HIPAA permits documented alternative controls when addressable specifications are not reasonable given entity size and capability, whereas PCI DSS Level 1 controls are not subject to equivalency substitution without formal compensating control documentation reviewed by a Qualified Security Assessor.

Data breach response procedures for PHI-related incidents must account for both the four-factor breach risk assessment and the separate notification timeline obligations — a dual-track process that does not exist in comparable form under state-level breach notification laws alone.

References

• U.S. Department of Health and Human Services — HIPAA for Professionals
• HHS Office for Civil Rights — Breach Notification Rule (45 CFR §§164.400–414)
• HHS OCR — HIPAA Security Rule (45 CFR §§164.302–318)
• NIST SP 800-66 Rev. 2 — Implementing the HIPAA Security Rule
• NIST SP 800-111 — Guide to Storage Encryption Technologies
• NIST SP 800-52 Rev. 2 — Guidelines for TLS Implementations
• HHS — Guidance on HIPAA and Cloud Computing
• HHS — Guidance on De-identification of PHI (45 CFR §164.514)