Glossary / PHI


Protected health information (PHI) is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services.

What is PHI?

Protected health information (PHI) is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations, and payment for healthcare services.

Healthcare survives on the data saved and utilized for successful patient care. This data regarding your medical treatment and history is collected across the entire healthcare ecosystem, and as such, this data is used to improve patient outcomes.

HIPAA defines protected health information. This includes individually identifiable health information. PHI must be kept secure by covered entities. Covered entities include providers, insurers, employers, and other parties who handle patient records.

PHI is a form of Personally Identifiable Information (PII). PHI includes all identifiable health data, including demographic information, past medical history, test results, and other information that could lead to the identification of a patient or provide healthcare service. This information is protected under the HIPAA Privacy Rule. The method of storage and transmission, whether electronic media or otherwise, does not affect PHI classification.

What is PHI vs PII?

PHI, or protected health information, is any type of health information, like physical or electronic health records, medical bills, and lab test results, that has individual identifiers. The confidentiality requirements surrounding PHI are very strict and violation of these can lead to severe legal consequences.

What Healthcare Information is Protected

The HIPAA Privacy Rule protects the privacy of protected health information (PHI). The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. The Security Rule calls this information “electronically protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.

Healthcare organizations deal with sensitive data about patients, including birth dates, medical conditions, and insurance claims.

What Happens when HIPAA is Violated?

Penalties are high for the violation of HIPAA, as they can be subjected to a penalty of $100 per violation and up to $25,000 for repeated violations. Penalties of $50,000 fine and up to 10 years of jail can be imposed for deliberate theft and use of protected healthcare data.

Examples of PII and Cybercrime

Identity theft is a primary goal for cybercriminals.

Cybercriminals often use personal identifying information (PII), such as names, addresses, dates of birth, Social Security numbers, credit card numbers, bank account details, etc., which they then sell on the black market or hold ransom using so-called “ransomware” attacks. Email phishing attempts can be sent to individuals, from cybercriminals pretending to be healthcare providers, and will ask for account information or enclose a link to a malicious website.

FBI statistics show that identity theft is still regarded as one of the fastest-growing crimes in the nation, capable of astronomical emotional and financial damage and hardship to the victims. As such, many governments have created consumer-friendly legislation regarding health service security policies to limit how this personal information is used and distributed.

Some Examples of PII include:

  • A personal identification number, such as a driver's license number, passport number, patient identification number, credit card number or social security number.

  • A name, including the full name of the individual, their maiden name or mother's maiden name, and any alias they may use.

  • Asset information, such as MAC address or IP, as well as other static identifiers that could consistently link a particular person.

  • Address information, like email addresses or street addresses, and telephone numbers for businesses or personal means.

  • Biological or personal characteristics, such as an image of distinguishing features, fingerprints, x-rays, voice signature, retina scan, or geometry of the face.

  • Information about an individual that is linked to their place of birth, date of birth, religion, activities, geographical indicators, educational, financial, or other medical data.

Under certain circumstances, one or two pieces of data can be brought together with other easily-accessible information to create a vulnerability for someone's identity.

Protected Health Information (PHI) is private information about your health. It includes your medical records, test results, and anything else that could help doctors treat you better. You may be surprised to learn that some people share this information without your permission. This law protects your privacy.

As shown, PHI refers to protected health information, which includes medical history, physical examination results, diagnosis, treatment plans, services rendered, payment for such items and any billing-related to them, etc., but excludes education records. It doesn't refer to any employment records kept by an organization as its role as someone's employer. In general, the regulations usually refer to several different fields which may be used to identify a person, such as a name, address, date of birth, social security number, driver’s license number, passport number, etc.

Protected Health Information (PHI) In Summary:

  • Names of patients/account holders.

  • All dates directly linked to an individual, including date of birth, death, discharge, treatments, and administration.

  • Telephone and fax numbers.

  • Email addresses, street addresses, zip codes, and county.

  • Medical record numbers, and health plan beneficiary numbers.

  • Social security numbers.

  • Biometric identifiers, including voice or fingerprints.

  • Photography: images of the full face or recognizable features.

  • Any unique number-based code or characteristics.

What are the Ways to Protect Patient Privacy and Confidentiality?

There are many ways to protect the privacy of individuals. You can protect confidentiality by keeping electronic files in a secure location with features like encryption, smart data leak protection, advanced permissions, and more. Other ways include ensuring that discussions about confidential information are held in private locations and written information is hidden from public view.

HIPAA technical safeguards are a key part of any HIPAA security program. Using cybersecurity to secure EPHI is a critical component of HIPAA. One of the greatest challenges of health care organizations is protecting patient information as the Internet changes.

In order to safeguard EPHI against threats and to prepare for future cyber attacks:

First, know how to spot phishing emails - and learn how to use strong passwords, two-factor authentication, and encryption.

In Conclusion

Cybercriminals never sleep. Cybersecurity teams need round-the-clock threat intelligence to anticipate and track bad actors’ every move, and how they might attack healthcare organizations.

Intel 471 customers rely on TITAN, an intuitive intelligence SaaS platform built by intelligence and security professionals for intelligence and security professionals. It enables them to access structured information, dashboards, timely alerts, and intelligence reporting via the web portal or API integration.

But TITAN doesn’t stop there. Use TITAN’s programmable RESTful API to power numerous connectors and integrations, integrating and operationalizing customized intelligence into your security operations.

Intel 471 cybercrime intelligence empowers digital forensic experts and analysts to monitor and respond to threats in near real-time — enabling them to support the cyber defense mission with timely and actionable intelligence. These analysts can also explore the alert context in our intelligence reports and data collection giving them a richer understanding of your organizational risk to better mitigate threats.