Ultimate Guide on Protected Health Information (PHI)

‍

What’s the real cost of a data breach? It’s not just fines; it’s trust, contracts, and careers on the line. Protected Health Information (PHI) isn’t just medical records - it’s a prime target for cybercriminals, as they can fetch up to $250 on the dark web i.e., 50x more than credit card data on the dark web. Yet, many organizations still believe PHI security is just an IT issue. It’s not - it’s a business risk that affects compliance, reputation, and financial stability. 

This guide breaks down real-world examples of PHI, common security blind spots, and how to lock it down before it costs you millions. Whether you handle billing, procurement, or compliance, this is the wake-up call you didn’t know you needed.

‍

What is PHI?

Protected Health Information (PHI) includes any data that identifies an individual and relates to their healthcare. If a piece of information connects a patient’s identity with their medical history, treatment, or billing, it qualifies as PHI under HIPAA (Health Insurance Portability and Accountability Act). 

Think of it this way: A blood test result alone isn’t PHI. But attach a name, date of birth, or medical record number, and now it’s protected. That distinction is what makes PHI so valuable - and that’s why securing it is a legal requirement.

PHI vs. PII: What’s the difference? 

It’s easy to confuse PHI (Protected Health Information) with PII (Personally Identifiable Information) - but they’re not the same.

• PII includes general personal data like names, addresses, phone numbers, or Social Security numbers. It applies across industries, from finance to e-commerce.
• PHI is a subset of PII that’s specifically tied to healthcare - meaning it must be linked to a patient’s medical history, treatment, or billing to be considered PHI.

For example:

• A phone number on its own? Just PII.
• A phone number stored in a hospital’s patient record? Now it’s PHI under HIPAA.

If PII lives everywhere, PHI lives only in the hands of HIPAA-covered entities like hospitals, insurers, and healthcare providers. That’s why it has stricter legal protections.

‍

HIPAA’s Privacy Rule: The Law That Governs PHI

The HIPAA Privacy Rule dictates how PHI must be collected, stored, shared, and protected. It applies to covered entities (healthcare providers, insurers, and clearinghouses) and their business associates (third-party vendors handling PHI).

Key takeaways from HIPAA’s Privacy Rule:

• PHI must be protected at all times, whether in paper, digital, or oral form.
• Patients have the right to access, amend, and request restrictions on their PHI.
• Sharing PHI is only allowed under strict conditions, such as treatment, payment, or healthcare operations (TPO).

Violating HIPAA’s Privacy Rule isn’t just a policy breach; it’s a federal offense. Fines can reach $50,000 per violation, and in severe cases, criminal charges apply.

‍

The 18 HIPAA Identifiers That Classify PHI

Under HIPAA, PHI is defined by 18 specific identifiers. If any of these are attached to health-related data, it must be protected: \

‍

‍

Even one of these identifiers attached to health data qualifies it as PHI.

Which identifiers need to be combined to qualify as PHI? 

Not all identifiers alone are enough to qualify as PHI. Some must be combined with health-related details to trigger HIPAA protection:

• Example 1: A license plate number by itself? Not PHI. A license plate tied to a hospital parking record for a patient? That’s PHI.

• Example 2: An email address alone? Just PII. But if it’s linked to a doctor’s appointment confirmation? That’s PHI.

→ Rule of thumb: If any of these 18 identifiers are linked to medical history, treatment, or billing, it becomes PHI and must be protected under HIPAA.

‍

Where PHI Exists: Common Healthcare Use Cases 

PHI isn’t just stored in patient charts or hospital servers. It exists anywhere healthcare data is created, shared, or processed - from hospitals to insurance companies, research labs, and even wearable devices. If it connects a person to their health data, it’s PHI.

Here’s where PHI commonly appears across different healthcare functions:

1. In Hospitals & Clinics

Hospitals and clinics generate, store, and share vast amounts of PHI. Every patient interaction creates a new data point that falls under HIPAA’s protection.

Common PHI in Hospitals & Clinics:

• Electronic Health Records (EHRs) – Diagnosis, treatment plans, and medical histories.
• Medical imaging & scans – MRI, X-ray, and CT scan results tied to a patient’s identity.
• Prescriptions – Digital or printed medication records with patient information.
• Doctor’s notes & consultation records – Includes symptoms, diagnosis, and follow-up care.

Security risk: A single unsecured email or misplaced file can expose thousands of patient records.

2. In Insurance & Billing

PHI extends beyond hospitals and into the financial side of healthcare. Insurance companies, billing departments, and healthcare payers handle sensitive information that links patients to their treatment and payments.

Common PHI in Insurance & Billing:

• Claim forms – Contains patient information, diagnosis codes, and treatment details.
• Health Plan Beneficiary Numbers – Identifies a patient’s insurance policy.
• Billing statements – Includes medical services received and account details.

Security risk: A compromised billing system can lead to fraud, identity theft, and financial loss.

3. In Research & Clinical Trials

Healthcare research often involves analyzing patient data to improve treatments, but when research involves identifiable patient information, it becomes PHI.

Common PHI in Research & Clinical Trials:

• Medical history data sets – Used for studying disease patterns or treatment effectiveness.
• Genetic information – Includes DNA sequences linked to patient records.
• Patient treatment outcomes – Data collected from clinical trials on new medications or therapies.

Security risk: If research data isn’t properly anonymized, it can be traced back to individual patients, violating HIPAA rules.

4. In Telemedicine & Wearables

Remote healthcare services and health-tracking devices have changed how PHI is collected. Whether a patient is consulting a doctor via video or tracking vitals on a smartwatch, PHI is being generated.

Common PHI in telemedicine & wearables:

• Telehealth session records – Virtual consultations stored in a patient’s health record.
• Wearable device data – Heart rate, glucose levels, or blood pressure recorded by fitness trackers or medical devices.
• Mobile health apps – Patient portals storing test results, appointment records, and prescriptions.

Security risk: Many consumer health apps and devices are not HIPAA-compliant, making them vulnerable to data leaks.

5. In employer health plans

Employers that offer health benefits handle PHI through insurance providers and wellness programs. While companies are not covered entities under HIPAA, their health plan administrators must follow compliance rules.

Common PHI in employer health plans:

• Employee health insurance records – Enrollment details, claims data, and premium payments.
• Workplace wellness programs – Health screenings, smoking cessation programs, and mental health services.
• Disability & workers’ compensation claims – Includes medical records related to work injuries or long-term disability cases.

Security risk: Mishandling PHI in an employer setting can lead to HIPAA violations and employee privacy concerns.

‍

What is Not Considered PHI? (Common Misconceptions) 

Not all health-related information is PHI. HIPAA only applies when health data is linked to an individual’s identity and is handled by a covered entity or business associate. If the information is stripped of identifiable details or exists outside the healthcare system, it doesn’t fall under PHI regulations.

Here are some common misconceptions about what qualifies as PHI:

1. De-identified data used for research

When health data is stripped of all 18 HIPAA identifiers, it is no longer PHI. This kind of data is often used in medical research, public health studies, and statistical analysis.

For example:

• A hospital releases a study on diabetes trends but removes names, birthdates, and other personal identifiers.
• A research lab collects blood samples but does not link them to any patient records.

As long as there’s no way to trace the data back to an individual, it is considered de-identified and is exempt from HIPAA.

2. Health Data from Fitness Apps (Unless Linked to a Provider)

Consumer health apps like Fitbit, Apple Health, or Google Fit collect health data but are not HIPAA-covered entities. That means the step count, heart rate, or sleep tracking data stored on your smartwatch is not PHI—unless it’s shared with a doctor or insurer.

When it becomes PHI:

• If a Fitbit report is shared with a doctor and added to a medical record, it becomes PHI.
• If a patient’s Apple Health data is used by an insurance provider to adjust premiums, it qualifies as PHI.

When it is not PHI:

• If a person uses a weight-loss app to track their diet, it’s personal data but not protected under HIPAA.
• If a fitness tracker logs daily steps, but the data never enters the healthcare system, it’s not PHI.

3. Patient testimonials & online health discussions

Patients sharing their own health experiences on social media, forums, or websites is not PHI - unless those posts include identifiable details that tie the health information to a specific person.

When it becomes PHI:

• A hospital posts a before-and-after surgery photo of a patient without consent.
• A medical provider discusses a patient’s treatment on a public platform using identifying details.

When it is not PHI:

• A patient shares their recovery story on Facebook without mentioning a hospital or provider.
• A user on a health forum talks about their symptoms but remains anonymous.

4. Aggregated health reports without personal identifiers

Public health reports, hospital performance metrics, and disease trend analysis often use patient data, but if all identifiers are removed, they are not considered PHI.

Examples of non-PHI reports:

• A government agency releases a COVID-19 case study showing infection rates without personal details.
• A hospital publishes a report on surgery success rates without listing patient names or MRNs.

If a dataset cannot be traced back to an individual, it falls outside HIPAA’s scope.

‍

Why PHI is a Prime Target for Hackers 

Medical data is worth more than credit card information on the dark web. Unlike credit cards, which can be canceled or changed, PHI is permanent; making it a goldmine for identity theft, insurance fraud, and extortion.

Hackers don’t just target hospitals. Any organization handling PHI (including insurers, research firms, and billing services) is a potential entry point. 

Here’s why PHI is so valuable and how it gets compromised.

The Value of PHI on the Black Market

A single stolen medical record can sell for up to $1,000, compared to credit card details, which often go for $1 to $5 per record.

What makes PHI so valuable?

• More fraud opportunities – Stolen PHI is used for identity theft, fake insurance claims, and prescription fraud.
• Longer shelf life – Unlike a credit card, which can be canceled, stolen medical data can be exploited for years.
• Complete identity profiles – PHI includes Social Security numbers, addresses, and medical histories, making it a one-stop shop for cybercriminal

How PHI Gets Compromised

Even with security measures in place, hackers find ways to exploit weak links. The biggest threats include:

1. Phishing Attacks

Cybercriminals send fake emails posing as healthcare administrators, IT teams, or government agencies. Employees click a malicious link, unknowingly giving hackers access to patient databases.

• Example: An employee receives an email requesting a password reset for an EHR system. The login page looks real, but it’s a phishing site designed to steal credentials.

2. Ransomware Attacks

Hackers encrypt PHI and demand payment to unlock it. Healthcare organizations, fearing operational shutdowns and HIPAA fines, often pay the ransom - only to be targeted again.

• Example: In 2021, Scripps Health suffered a ransomware attack that locked patient records for nearly a month, delaying treatments and forcing staff to rely on paper records.

3. Insider Threats

Employees with legitimate access to PHI can be a risk of either accidentally leaking data or deliberately selling it.

• Example: A former hospital employee at Memorial Healthcare System stole patient records and sold them to identity thieves, leading to over $5 million in fraudulent claims.

‍

Major Healthcare Breaches: What Went Wrong?

Even large healthcare organizations with strong security budgets have fallen victim to massive PHI breaches. While the attacks themselves varied, the root causes often stemmed from avoidable security lapses - unpatched systems, weak employee training, and delayed threat detection. 

The breaches include Anthem (2015), Premera Blue Cross (2014-2015), CommonSpirit Health (2022). The details: 

‍

‍

Key takeaways from these breaches:

1. Phishing is still a leading cause: Without MFA and regular employee security training, stolen credentials can grant attackers full system access.

2. Unpatched vulnerabilities lead to breaches: Delaying security updates allows hackers to exploit known weaknesses for months or even years.

3. Lack of network segmentation makes ransomware worse: If systems aren’t isolated, malware can spread uncontrollably, crippling entire healthcare networks.

4. Slow threat detection increases damage: Some breaches lasted months or even years before discovery, giving hackers more time to steal sensitive PHI.

‍

The Legal & Financial Consequences of Mishandling PHI 

Failing to protect PHI isn’t just a compliance issue; it comes with severe legal, financial, and reputational damage. A single breach can cost millions, spark lawsuits, and expose patients to identity theft.

Here’s what’s at stake when PHI falls into the wrong hands.

1. Identity Theft & Guard 

PHI is a goldmine for criminals because it contains everything needed for identity theft: names, Social Security numbers, insurance details, and medical records. Unlike stolen credit cards, medical data can’t be easily changed; meaning victims can suffer for years.

How criminals exploit stolen PHI:

• Medical identity theft: Fraudsters use stolen records to receive treatment, prescriptions, or even surgeries under someone else’s name.
• Fake insurance claims: Scammers file fraudulent health claims using stolen insurance details.
• Prescription fraud: Criminals use stolen doctor-issued prescriptions to obtain and resell controlled substances.

2. HIPAA Non-Compliance Fines 

HIPAA violations can result in massive financial penalties, even if no breach occurs. The Office for Civil Rights (OCR) enforces HIPAA and regularly fines organizations for failing to safeguard PHI.

HIPAA Fine Structure (Per violation) 

‍

‍

Notable HIPAA Fines:

• Anthem (2018) – $16 million fine after a phishing attack exposed 80 million records.
• MD Anderson Cancer Center (2018) – $4.3 million fine for unencrypted devices that led to a PHI breach.
• Banner Health (2020) – $6 million fine after hackers gained access to 2.9 million patient records.

3. Lawsuits & Loss of Reputation

Beyond HIPAA fines, data breaches often lead to class-action lawsuits. Patients who suffer financial or medical harm sue organizations for negligence, and settlements can reach tens of millions.

Example: Excellus BlueCross BlueShield (2015) – A breach exposed 9.3 million records. The company paid a $5.1 million fine to implement a corrective action plan to settle potential violations of (HIPAA) Privacy and Security Rules. 

A damaged reputation is even harder to recover from. Patients lose trust, leading to lost business, higher costs, and long-term financial damage.

4. Cybersecurity Threats

Healthcare is one of the top targets for cyberattacks. Weak security practices, outdated systems, and poor employee training make hospitals, insurance companies, and clinics easy targets.

Top cybersecurity threats to PHI:

• Phishing & Social Engineering – Employees get tricked into giving away credentials.
• Ransomware – Hackers encrypt patient data and demand payment to unlock it.
• Insider threats – Employees steal or leak PHI for financial gain.
• Unpatched systems – Outdated software creates security gaps that hackers exploit.

Example: In 2023, the CommonSpirit Health ransomware attack forced hospitals to cancel surgeries and delay life-saving treatments. The breach cost $160 million in damages and recovery.

Mishandling PHI isn’t just a regulatory issue; it’s a business risk. A single mistake can cost millions, harm patients, and destroy trust. 

‍

How to Protect PHI: Best Practices for Organizations

Protecting PHI isn’t just about compliance; it’s about preventing financial losses, reputational damage, and legal penalties. Organizations handling PHI must implement layered security measures across administrative, physical, and technical levels.

Here’s how to lock down PHI and reduce the risk of breaches.

1. Administrative Safeguards

Policies and controls to ensure that only authorized personnel access PHI and that employees handle data securely.

a. Employee Training

Most PHI breaches stem from human error. Employees need regular training to prevent phishing attacks, mishandling of sensitive data, and security lapses.

Best practices:

• Teach employees how to spot phishing attacks and report suspicious emails.
• Enforce secure handling of PHI in emails, file transfers, and storage.
• Provide role-specific HIPAA compliance training for different departments.

b. Access control & policies

Not every employee needs full access to PHI. Organizations should implement role-based access control (RBAC) to restrict PHI access based on job responsibilities.

Best practices:

• Assign least-privilege access - employees should only access what they need.

‍

‍

• Require unique logins for tracking and accountability.
• Limit admin privileges to prevent unauthorized PHI modifications.

Using a SaaS management platform like CloudEagle, organization can monitor access to sensitive systems, automate access reviews, and ensure employees only retain necessary permissions over time.

c. Audit logs & monitoring

Organizations must track and monitor PHI access to detect unauthorized activity before it leads to a breach.

‍

‍

What to monitor:

• Failed login attempts - a sign of brute-force hacking.
• Unusual access patterns, such as an employee viewing thousands of patient records in a short time.
• Transfers of PHI to external devices or emails.

2. Physical safeguards

Securing PHI includes digital protection - physical documents, workstations, and storage areas must also be protected.

a. Restricted areas & secure storage 

• Keep medical records locked in secured file cabinets or rooms.
• Limit access to authorized personnel only, using badge-based entry systems for sensitive areas.
• Ensure visitor access is logged and monitored.

b. Shred physical documents

• Never discard PHI in regular trash bins - always shred it before disposal.
• Use locked disposal bins for paper records waiting to be shredded.

c. Workstation security

• Auto-lock screens after inactivity.
• Position monitors away from public view to prevent unauthorized access.
• Restrict USB ports to prevent unauthorized data transfers.

3. Technical Safeguards 

Cybersecurity controls that prevent breaches, limit access, and protect PHI from cyberattacks. 

a. Encryption of PHI Data

• Encrypt PHI at rest and in transit to prevent unauthorized access.
• Use end-to-end encryption for PHI-related emails and file transfers.
• Encrypt laptops, external drives, and mobile devices that store PHI.

b. Multi-factor authentication (MFA) 

• Require MFA for all PHI access, including employees and third-party vendors.
• Use biometric authentication, security keys, or one-time passcodes.

c. Firewall & antivirus protection 

• Install next-generation firewalls to block unauthorized access.
• Use endpoint detection & response (EDR) tools to monitor for threats.
• Regularly update and patch security software to fix vulnerabilities.

d. Secure backups

• Maintain offline backups to protect against ransomware.
• Store encrypted backups in case of data theft.
• Regularly test recovery plans to ensure rapid restoration after an attack.

4. HIPAA Compliance Best Practices

Regulatory requirements to reduce compliance risks and ensure PHI protection.

a. Business Associate Agreements (BAAs)

Organizations that share PHI with third parties (e.g., cloud providers, billing services) must have signed BAAs to ensure compliance.

What should a BAA include?

• How PHI is handled, stored, and secured.
• Responsibilities in case of a breach.
• Compliance requirements with HIPAA’s Security & Privacy Rules.

b. De-identification of data

• Remove personally identifiable details when using PHI for research.
• Use safe harbor methods to strip identifiers like names, addresses, and medical record numbers.

c. Incident response plans

Organizations must have a plan to respond quickly if a breach occurs.

• Define who takes action (security teams, compliance officers).
• Outline steps to contain and investigate breaches.
• Have a process for notifying affected individuals.

‍

PHI vs. ePHI (Electronic PHI) - Understanding the Difference

Not all PHI is stored on paper. Electronic Protected Health Information (ePHI) refers to any PHI that is created, stored, or transmitted digitally. While both PHI and ePHI fall under HIPAA regulations, ePHI requires additional safeguards due to its increased vulnerability to cyberattacks.

Here’s how ePHI differs from traditional PHI and what extra security measures are required to keep it safe.

→ How ePHI is Stored & Transmitted Digitally

Traditional PHI includes paper records, printed test results, or physical X-rays. In contrast, ePHI is stored and transmitted through digital systems, including:

• Electronic Health Records (EHRs): Digital patient files used by hospitals and clinics.
• Patient Portals & Mobile Apps: Online access to test results, prescriptions, and appointments.
• Medical IoT & Wearables: Devices that collect and transmit real-time patient health data.
• Billing & Insurance Databases: Digital platforms storing payment and insurance information.
• Email & Messaging Systems: Internal communication containing sensitive health details.

Because ePHI is easier to access, copy, and steal, it is a prime target for cybercriminals.

→ HIPAA Security Rule: Extra Protections for ePHI

The HIPAA Security Rule expands beyond standard privacy measures and sets specific cybersecurity requirements for ePHI.

• Administrative Safeguards: Policies and procedures to limit ePHI access and ensure continuous risk assessments.
• Technical Safeguards – Encryption, access controls, and monitoring to prevent unauthorized access.
• Physical Safeguards – Secure workstations, device tracking, and disposal of old hardware to prevent breaches.

For example, if a laptop containing PHI is lost, it’s a HIPAA violation unless the data is encrypted and access is password-protected.

→Best Practices for Securing ePHI

1. Cloud storage security

Many healthcare organizations store PHI in cloud-based EHRs, billing platforms, and backup systems. However, not all cloud providers are HIPAA-compliant.

• Use HIPAA-compliant cloud storage (Google Cloud, AWS, Microsoft Azure).
• Sign Business Associate Agreements (BAAs) with cloud vendors.
• Enable data encryption and multi-factor authentication (MFA) for access.

2. Email encryption & secure messaging

Email is a high-risk transmission channel for PHI. Sending unencrypted ePHI over email is a direct HIPAA violation.

• Use end-to-end encryption for emails containing PHI.
• Avoid sending PHI over unsecured email or personal messaging apps.
• Implement secure email gateways (SEGs) to prevent data leaks.

In 2019, a healthcare employee accidentally emailed PHI to the wrong recipient, exposing thousands of records. Secure email encryption could have prevented unauthorized access.

3. Secure file sharing

Sharing medical records via public cloud services (Google Drive, Dropbox, etc.) can lead to data leaks.

• Use HIPAA-compliant file-sharing platforms (ShareFile, Box for Healthcare).
• Apply role-based access controls (RBAC) to limit access to PHI.
• Ensure audit logs track who accesses and downloads ePHI files.

‍

Protecting PHI Starts With the Right Strategy

Protected Health Information (PHI) isn’t just another data point; it’s deeply personal, highly valuable, and constantly targeted. Whether it’s stored on paper or in the cloud, one security lapse can lead to breaches, lawsuits, and massive fines. 

Protecting PHI requires strict access controls, continuous monitoring, and airtight security policies to keep sensitive data out of the wrong hands.

Strengthen PHI security & compliance with CloudEagle: 

Managing PHI access across multiple platforms can get messy, especially when employees retain unnecessary permissions long after they need them. 

CloudEagle simplifies access control and compliance monitoring, ensuring that only the right people have access to sensitive healthcare data. With automated audits and real-time alerts, you can catch security risks before they turn into breaches.

Read next: 

• 7 Best Compliance Automation Tools 

→ Discover top tools to automate audits, ensure regulatory compliance, and simplify governance.

• Ensuring Compliance in SaaS Contracts: Legal & Regulatory Considerations 

→ Learn how to handle legal complexities in SaaS agreements and avoid compliance pitfalls.

• 6 Best SaaS Security Posture Management Tools 

→ Discover the best tools to safeguard your cloud apps, prevent breaches, and ensure compliance.

‍