What is considered protected health information (PHI)?

Written by: Gabrielle Smith
Originally published on September 23, 2021. Last updated June 2, 2022.

A study conducted by researchers from Michigan State University and Johns Hopkins University found that the leading cause for personal health information getting leaked isn’t hackers—it’s poor security and negligence from the health officials who were authorized to have it in the first place.

This startling finding emphasizes the importance of keeping protected health information (PHI) under strict lock and key—not just for healthcare providers, but for employers, too. This is especially true if you have a hand in your employees’ healthcare, like if you reimburse your employees’ medical expenses through a health reimbursement arrangement (HRA).

But how do you know which of your employees’ health information needs protecting, and how do you keep it safe? In this article, we’ll explain exactly what PHI is and what you can do to stay compliant.

PeopleKeep is dedicated to helping organizations stay compliant—see how we can help

What is protected health information (PHI)?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines regulations for keeping individuals’ personal health information safe and undisclosed to those who aren’t authorized to view it.

Any personal health information that’s “individually identifiable” is protected by the HIPAA Privacy Rule, and is considered “protected health information” or PHI.

If the health information has any of the following identifiers, then it’s considered PHI:

  • Names
  • Dates (aside from the year)
  • Telephone numbers
  • Geographic data
  • FAX numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Any unique identifying number or code

It’s important to note that PHI applies to all past, present, and future health information. It also applies to any form the information takes. For example, when PHI is transferred, received, or saved in an electronic form, such as in an email, digital file, or on a computer, that’s called ePHI. No matter what form the information takes, all the HIPAA Privacy Rules still apply.

Who is subject to HIPAA’s rules about protected health information?

The HIPAA Privacy Rule applies to any HIPAA-covered entity, including healthcare providers, health insurers, and healthcare clearinghouses. However, these rules also apply to employers if they somehow operate in one or more of those capacities—such as if you are administering an HRA.

HIPAA defines and limits the circumstances in which an individual’s PHI may be used or disclosed by covered entities. Through the Privacy Rule, an employer can’t use or disclose PHI, except as the Privacy Rule permits or requires, or as the individual who is the subject of the information (or the individual’s personal representative) authorizes it in writing.

What happens if PHI gets leaked?

There are a lot of ways for PHI to end up in the wrong hands. For example, a leak can happen if the devices storing PHI are lost or stolen. Or, someone at your organization may accidentally disclose an employee’s PHI to an entity without proper approval. Even something as simple as forgetting to shred documents can lead to a breach.

If any of the above happens, your organization can end up with some hefty consequences. The penalties for HIPAA noncompliance are meant to fit the crime, so fines can range from $100 to $50,000 per individual violation, depending on how serious the perceived level of negligence is.

If things are really serious, some violations can even result in jail time for the ones responsible for the information getting out.

How do I keep my employees’ protected health information safe?

As an employer offering an HRA, it’s your responsibility to keep any of your employees’ PHI safe so that it’s not shared or viewed by those who aren’t authorized to see it.

Here are just a few ways to keep your employees’ PHI secure:

  • Adopt written PHI privacy procedures
  • Designate a privacy officer
  • Offer training to all of your employees in privacy rule requirements
  • Ensure any hard drives are encrypted and protected by passwords to prevent a breach
  • Implement best practices so that PHI is never used for making employment or benefits decisions, marketing, or fundraising


Staying on top of privacy rules and compliance regulations can seem daunting, but you don’t have to go it alone. PeopleKeep’s benefits automation software and award-winning customer support team helps thousands of organizations nationwide administer their HRAs compliantly with both state and federal regulations every day.

See how PeopleKeep can help your organization stay compliant

Originally published on September 23, 2021. Last updated June 2, 2022.


Additional Resources

View All Resources