What is Protected Health Information (PHI)?

Protected Health Information (PHI) Definition

PHI is the "Sensitive Core" of healthcare data. It includes 18 specific identifiers, such as names, geographic subdivisions, dates, phone numbers, and NPIs when linked to health status. For Payer Executives, managing PHI is a high-stakes balancing act: you must share data for care coordination while strictly limiting access to prevent unauthorized disclosure. In Provider Data Management, a roster becomes PHI the moment it includes patient-specific data or sensitive provider identifiers used for billing. Operationally, PHI must be "De-identified" (identifiers removed) before it can be used for broad research or marketing analytics. Strategically, the "Minimum Necessary Standard" is the guiding principle—only share the specific PHI needed to complete a task.

FAQs

Is an NPI considered PHI?

Generally no, because it is a public-facing business identifier. However, when an NPI is linked to a patient's medical history or a provider's private home address, it enters the realm of protected data.

What are the "18 Identifiers" of PHI?

These include Name, Address (smaller than State), Dates (except year), Phone/Fax, Email, SSN, Medical Record Number, Health Plan ID, Account Number, License Number, VIN, Device ID, URL, IP Address, Biometric IDs, Photos, and any other unique code.

How should PHI be destroyed?

It must be rendered unreadable and indecipherable through shredding, burning, or specialized electronic "wiping" software.