Protected Health Information
Quick Definition
Protected Health Information (PHI) is individually identifiable health information held or transmitted by a HIPAA-covered entity or business associate. PHI is governed by the HIPAA Privacy Rule and includes any information that can be used to identify an individual in connection with their health, healthcare, or healthcare payment.
In Depth
Under the Health Insurance Portability and Accountability Act (HIPAA), Protected Health Information (PHI) includes any individually identifiable health information transmitted or maintained by a covered entity (healthcare providers, health plans, healthcare clearinghouses) or by a business associate handling such data on behalf of a covered entity.
Identifiers that bring information under PHI status include:
- Names. - Geographic data smaller than a state. - Dates directly related to an individual. - Telephone numbers, fax numbers, email addresses. - Social Security numbers. - Medical record numbers. - Health plan beneficiary numbers. - Account numbers, certificate or license numbers. - Vehicle identifiers, device identifiers. - Web URLs and IP addresses. - Biometric identifiers. - Full-face photographs. - Any other unique identifying number, characteristic, or code.
The HIPAA Privacy Rule restricts how PHI can be used and disclosed without patient authorization. The HIPAA Security Rule requires technical, physical, and administrative safeguards for electronic PHI (ePHI).
Telehealth platforms that prescribe medications, store medical records, and handle insurance information are typically HIPAA-covered entities and must implement compliant infrastructure. Marketing email systems that handle non-clinical patient data, by contrast, may or may not be subject to HIPAA depending on the specific data flows.
Patients should review the privacy practices of any telehealth or pharmacy platform before submitting health information. Reputable platforms publish HIPAA-compliant privacy notices and use only HIPAA-compliant infrastructure for clinical data.
Related Terms
Async Telehealth
Asynchronous (async) telehealth is a model of remote healthcare in which the patient submits information (intake forms, photos, lab results) without a real-time video or phone consultation with the clinician. The clinician reviews and prescribes if appropriate. Most U.S. states permit async prescribing for many medications under defined conditions.
Synchronous Telehealth
Synchronous telehealth is a model of remote healthcare in which the patient and clinician interact in real time, typically via video or phone. Required for some clinical scenarios and controlled substance prescribing under federal and state rules.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 is the U.S. federal law that establishes data privacy and security standards for protected health information (PHI). HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates.