What is considered protected health information (PHI)?

Phishing and ransomware attacks are some of the leading causes of personal health information (PHI) and other data leaks. However, a recent report from Mimecast found that human error, such as poor security and misused credentials, resulted in 95% of data breaches in 2024.

Furthermore, only a small segment of employees were the major offenders in these cases. Of those surveyed, 8% of staff members accounted for 80% of breach incidents¹.

This startling finding emphasizes the importance of keeping PHI under strict lock and key for healthcare providers and employers. This is especially true if you manage your employees’ health benefits and are responsible for reimbursing their medical expenses through a health reimbursement arrangement (HRA).

But how do you know which employee health information needs protection, and how do you keep it safe? This article will explain what PHI is and how to stay compliant.

In this blog post, you’ll learn:

• What qualifies as protected health information under HIPAA.
• How protected health information is used and protected, who is responsible for keeping it secure, and what can happen if it’s mishandled.
• Best practices for employers offering health benefits to stay HIPAA-compliant.

What is protected health information (PHI)?

Protected health information (PHI) is specific data that a medical professional collects to identify an individual patient and determine appropriate treatment and care.

PHI data includes:

• Demographic information
• Medical histories
• Laboratory results
• Billing information
• Physical and electronic medical record platforms
• Mental health records
• Health insurance information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides federal protections for PHI. It outlines regulations for keeping individuals’ PHI safe and undisclosed to those not authorized to view it.

The HIPAA Privacy Rule protects “personally identifiable health information,” which the law considers PHI².

If data includes any of the following identifiable health information, the federal government considers it PHI:

• Names
• Birth dates and healthcare service dates (aside from the year)
• Telephone numbers
• Geographic data other than the state in which they reside. For example, this includes the street address, city, county, or ZIP code.
• FAX numbers
• Social Security numbers
• Email addresses
• Medical record numbers
• Account numbers
• Health plan beneficiary numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Web URLs and IP addresses
• Device identifiers and serial numbers
• Internet protocol addresses
• Full-face photos and comparable photographic images
• Biometric data (i.e., retinal scan, fingerprints)
• Any unique identifying number or code

PHI applies to all past, present, and future health status information handled by any covered entity — be it an individual, organization, or agency — in any form.

For example, when someone transfers, receives, or saves PHI in electronic media — such as an email, digital file, or computer — that’s called electronic PHI. All HIPAA Privacy Rules still apply, no matter what medium stores the information.

What isn’t considered protected health information?

Many people think all personal health histories and related information are PHI under HIPAA. But there are some exceptions.

PHI depends on who or what records the information. For example, mobile health trackers, like wearable devices or mobile apps on electronic devices, can record health information with common identifiers, such as heart rate or blood pressure.

However, this data is only PHI under HIPAA if a healthcare provider records this information or a health plan uses it. For example, suppose the device manufacturer or health app developer doesn’t have a business associate agreement with a HIPAA-covered entity. In that case, the data the app records isn’t considered PHI.

Data isn’t PHI if it contains no personal identifiers to tie the specific information back to an individual. If you remove the identifiers, the health information becomes de-identified data, and HIPAA Rules no longer apply.

How is protected health information used?

Medical professionals commonly use PHI to track medical information during a patient's life. This helps physicians get the background they need to understand a person's medical condition and administer proper patient care.

Clinicians and research scientists also use PHI to study healthcare trends. Individuals can also use anonymized PHI to create value-based care programs that reward healthcare providers for providing quality healthcare services.

HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 limit the types of PHI that healthcare staff, insurers, and their business associates can collect. These regulations also limit what those healthcare professionals can do with the data they receive, such as how they can share it, to keep patient information private.

Who is subject to HIPAA’s rules about protected health information?

The HIPAA Privacy Rule applies to any HIPAA-covered entity, including medical providers, insurance carriers, and healthcare clearinghouses. These rules also apply to employers operating in one or more of these capacities, such as if they manage a health benefit like an HRA.

HIPAA defines and limits the circumstances in which covered entities may use or disclose an individual’s PHI. For instance, an employer can’t use or disclose PHI except as the Privacy Rule permits or requires. In some cases, they may share PHI data if the individual who is the subject of the information (or the individual’s representative) authorizes it in writing.

What happens if there’s a protected health information leak?

There are many ways for PHI to end up in the wrong hands. For example, a leak can happen if devices storing PHI are lost or stolen. Hackers and cybercriminals are interested in PHI because it contains identifiable and personal health information.

Another way a leak could occur is if someone at your company or healthcare organization accidentally discloses an employee’s PHI to an entity without proper approval. Even something as simple as forgetting to shred documents can lead to a breach.

If any of the above happens, your company can face hefty consequences. The civil penalties for HIPAA noncompliance can range from $141 to $2,134,831 per violation, depending on the severity of the negligence³.

If the situation is severe, some violations can even result in jail time for those responsible for disseminating the information. This is why organizations and their business associates must keep PHI safe.

“We enforce multi-factor authentication to add an extra layer of security [for digital medical records],” said Bryan Wright, owner of Wright Physical Therapy. “This minimizes the risk of unauthorized access even if login credentials are compromised. Regular audits and staff training sessions keep everyone updated on best practices for PHI protection.”

How do I keep my employees’ protected health information safe?

Even if your company isn’t a healthcare organization, you must take PHI seriously as an employer. If you’re offering a health benefit like an HRA, it’s your responsibility to keep any of your employees’ PHI safe so that it’s not shared or viewed by those who aren’t authorized to see it.

Here are just a few ways to keep your employees’ PHI secure:

• Adopt written PHI patient health privacy procedures.
• Implement physical safeguards by designating a privacy officer.
• Offer privacy rule requirements training to all your employees.
• Encrypt and password-protect electronic health records and hard drives as technical safeguards to prevent a breach.
• Implement best practices to ensure you never use PHI when making employment or health benefits decisions, marketing, or fundraising.

“We store paper records in locked cabinets accessible only to authorized staff,” Wright said. “Our server rooms are restricted to essential personnel, reducing the risk of internal breaches. We also employ a comprehensive exercise regimen to help maintain a high level of service quality while ensuring our practices are up-to-date with current security standards. This combination of digital and physical security measures ensures that we provide the highest level of protection for our patients' personally identifiable information.”

What if I offer an HRA?

An HRA is an employer-funded health benefit that allows you to reimburse employees tax-free for their individual health plan premiums and qualifying out-of-pocket costs.

With an HRA, you give participating employees a monthly allowance that they can use to buy a health plan and other medical expenses. Once they make an eligible purchase, you reimburse them tax-free up to their allowance amount.

If you self-administer an HRA, you may interact with your employees’ PHI at certain times, such as reviewing their documentation for reimbursement requests. Any improper self-administration could result in fines or breaches.

But if you use HRA administration software powered by PeopleKeep by Remodel Health, our easy-to-use platform and award-winning customer support team can make your life easier. We review and securely store your employees’ claim documentation and help you navigate HIPAA regulations so you don’t have to worry about PHI errors or self-administration pitfalls.

What if I offer a health stipend?

Some employers offer a health stipend instead of a formal health benefit. With a health stipend, you give your employees a fixed amount of money to buy medical insurance and healthcare services. You typically add this stipend to your employees’ paychecks as wages. Because the IRS considers the money extra income, it’s taxable at the end of the year.

With a health stipend, you can’t require your employees to submit documentation of what they used their stipend money on, including premium payments to health insurance companies or other out-of-pocket medical expenses. You simply provide the stipend, and they can spend the funds on whatever they choose. This keeps your employees’ PHI safe from prying eyes.

Conclusion

Understanding PHI and how to protect it can help you avoid hefty penalties for compliance violations. Staying on top of patient privacy rules and compliance regulations within the healthcare industry can seem daunting when offering a health benefit. But luckily, you don’t have to go it alone.

PeopleKeep by Remodel Health’s HRA software helps organizations nationwide administer their HRAs to comply with state and federal regulations and keep their employees' personal information safe. Book a call today, and we’ll set you up with a personalized health benefit that your staff will love.

This article was originally published on September 23, 2021. It was last updated on August 4, 2025.

1. 95% of Data Breaches Tied to Human Error in 2024

2. Summary of the HIPAA Privacy Rule

3. What are the Penalties for HIPAA Violations?