Protected Health Information (PHI) Security
Protected Health Information (PHI) occupies a distinct regulatory category within US data security law, governed primarily by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations under 45 CFR Parts 160 and 164. This page covers the statutory definition and classification boundaries of PHI, the technical and administrative control frameworks that govern its protection, the operational scenarios where PHI security obligations are triggered, and the decision thresholds that determine when data falls within or outside HIPAA's protective scope. The sector spans healthcare providers, insurers, clearinghouses, and the business associates that process health data on their behalf.
Definition and scope
PHI is defined under 45 CFR § 160.103 as individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or its business associates. The definition encompasses information that relates to an individual's past, present, or future physical or mental health condition; the provision of healthcare to that individual; or the past, present, or future payment for that healthcare — when combined with any of 18 enumerated identifiers specified in the HIPAA Privacy Rule at 45 CFR § 164.514(b).
Those 18 identifiers include:
Electronic PHI (ePHI) — PHI that is created, received, maintained, or transmitted in electronic form — carries additional technical safeguard obligations under the HIPAA Security Rule at 45 CFR Part 164, Subpart C. Paper and oral PHI are governed by the Privacy Rule but fall outside the Security Rule's technical control mandates.
De-identified health information that no longer contains any of the 18 identifiers — validated through either the Safe Harbor method or automated review processes Determination method under 45 CFR § 164.514 — is not classified as PHI and falls outside HIPAA's protective scope. This distinction forms one of the most operationally significant data security classification decisions in the healthcare sector.
How it works
PHI security operates across three control domains defined by the HIPAA Security Rule:
Administrative safeguards (45 CFR § 164.308) require covered entities to implement a formal security management process, including a documented risk analysis, a risk management program, workforce training, and assigned security responsibility. The risk analysis is not a one-time exercise — the rule requires ongoing assessment as operational environments change.
Physical safeguards (45 CFR § 164.310) govern facility access controls, workstation use policies, and device and media controls. These apply to any physical location where ePHI is accessed, stored, or processed, including third-party data centers used under business associate agreements.
Technical safeguards (45 CFR § 164.312) mandate access controls, audit controls, integrity mechanisms, and transmission security. Encryption is designated as an addressable specification rather than a required specification — but the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) treats encryption implementation as the primary safe harbor in breach notification analysis. Under the HIPAA Breach Notification Rule at 45 CFR Part 164, Subpart D, breaches of encrypted ePHI that meet the safe harbor standard do not trigger the 60-day notification obligation.
Business Associate Agreements (BAAs) extend PHI security obligations contractually to third-party vendors under 45 CFR § 164.308(b). A covered entity that shares ePHI with a vendor lacking a valid BAA faces direct regulatory exposure regardless of where the breach originates.
The NIST Special Publication 800-66 Revision 2 provides an implementation resource mapping HIPAA Security Rule requirements to NIST Cybersecurity Framework controls, used widely by healthcare organizations to align compliance obligations with technical security programs.
Common scenarios
PHI security obligations are triggered across a range of operational contexts:
- Cloud storage and SaaS platforms: Hosting ePHI in cloud environments requires a BAA with the cloud service provider and technical controls satisfying 45 CFR § 164.312. The scope of the includes service providers operating under BAA obligations.
- Third-party billing and coding: Revenue cycle management vendors that access patient records are business associates under 45 CFR § 160.103 and must satisfy Security Rule requirements independently.
- Mobile devices and remote access: Workforce access to ePHI on personal or employer-issued mobile devices triggers addressable encryption and remote wipe requirements under the physical and technical safeguard provisions.
- Interoperability and data exchange: Health information exchange under the ONC's 21st Century Cures Act information blocking rules creates a direct intersection between interoperability mandates and PHI security — entities must enable data access while maintaining HIPAA-compliant controls.
- Research and public health disclosures: The Privacy Rule at 45 CFR § 164.512 permits certain PHI disclosures for research, public health activities, and law enforcement without individual authorization, under defined conditions. These permitted uses do not suspend security safeguard requirements for the underlying data.
Decision boundaries
The central classification question is whether data constitutes PHI, de-identified health information, or general personally identifiable information (PII) subject to different frameworks. Three boundary conditions govern this determination:
Covered entity status: HIPAA applies only to healthcare providers that transmit health information electronically in connection with covered transactions, health plans, and healthcare clearinghouses — as defined in 45 CFR § 160.103. A wellness application that is not operated by or on behalf of a covered entity may collect health data without PHI status attaching, placing it outside HIPAA and potentially under FTC jurisdiction instead. The FTC has pursued enforcement under Section 5 of the FTC Act against health app operators that misrepresented their data practices, as documented in FTC health privacy enforcement actions.
De-identification threshold: Data that has undergone valid de-identification under 45 CFR § 164.514 is no longer PHI. The Safe Harbor method requires removal of all 18 identifiers and requires no actual knowledge that residual information could re-identify an individual. automated review processes Determination method permits a qualified statistician to certify that re-identification risk is very small — a higher analytical standard but one that preserves more data utility.
Minimum necessary standard: Under 45 CFR § 164.502(b), covered entities must limit PHI use and disclosure to the minimum necessary to accomplish the intended purpose. This standard does not apply to disclosures to treating providers or to the individual, but governs routine business operations, vendor access grants, and workforce member permissions.
OCR civil money penalties are structured in four tiers based on culpability, with a maximum penalty of $1,919,173 per violation category per calendar year (HHS Civil Money Penalties, adjusted for inflation). State attorneys general retain independent authority to bring civil actions for HIPAA violations under 42 U.S.C. § 1320d-5(d).