What is PHI, and how do you actually keep it safe?
PHI stands for protected health information. Under HIPAA it means health information that does two things at once. It relates to a person's health, their care, or the payment for that care — past, present, or future. And it identifies the person, or could reasonably be used to identify them. When information checks both boxes and it's held by a covered practice or one of its vendors, it's PHI, whether it's in a chart, an email, a text message, a voicemail, or a conversation at the front desk.
The identification piece is broader than people expect. Names count, obviously, but so do addresses, birth dates, phone numbers, email addresses, account numbers, photographs of faces, and even combinations of details that could single someone out in a small town. The regulation lists eighteen categories of identifiers, and the practical lesson is simple: if you'd need to remove it before the information became anonymous, it's an identifier.
The health information piece is also broader than people expect, because the mere fact that a person is your patient qualifies. An appointment reminder with a name on it is PHI. The schedule on the front desk screen is PHI. A voicemail saying this is Dr. Patel's office confirming your visit Thursday is PHI.
When PHI exists electronically, the rules call it ePHI, and HIPAA's Security Rule applies to it specifically. The Privacy Rule covers PHI in every form — paper and spoken word included.
Where PHI hides in a small practice: the texting threads between staff, the office email inbox especially the shared one, the sheet patients sign at the front desk readable by every patient after them, voicemails on a machine anyone in the back office can play, the printer tray and the shredder bin, photos on personal phones, the schedule visible on a screen that faces the waiting room, the contact form on your website which delivers messages about symptoms straight into an ordinary inbox, the marketing list built from patient emails, the old laptop in the supply closet that still has everything on it.
Six plain moves cover the ground: know where PHI lives (the risk analysis), limit who can see it (minimum necessary principle), protect it in motion and at rest (encryption), protect the paper and the rooms (physical safeguards), train the humans and paper the vendors (BAAs), and plan for the bad day (breach response). None of those moves requires expensive software. They require someone to own the map, keep it current, and write things down.