Protected Health Information


According to the Health Insurance Portability and Accountability Act (HIPAA), protected health information (PHI) is any health information that can identify an individual that is in possession of or transmitted by a "covered entity" or its business associates that relates to a patient's past, present, or future health. This data includes demographic information.[1] It also includes, but is not limited, to electronic and paper transmission. The term "covered entity" refers, but is not limited to, health care providers, insurance companies, and hospitals.[2][3] PHI includes demographic identifiers, in medical records, like names, phone numbers, emails, and biometric information like fingerprints, voiceprints, genetic information, and facial images.[4]

Issues of Concern

It is imperative that protected health information remains confidential because disclosing it to unauthorized recipients, whether intentionally or by accident, can have deleterious consequences for patients. For instance, in correctional facilities, the improper disclosure of protected health information can potentially result in inmates assaulting other inmates with health conditions that carry a significant social stigma. Even upon their release, these individuals can face discriminatory treatment by the general populace that hampers their reintegration into public life. While transmitting PHI generally requires the patient's explicit consent, there are exceptions where it is transmittable without consent. For example, in a correctional facility setting, PHI can be disclosed without consent for payment purposes, judicial proceedings. If there is a serious threat to a person's health or well-being, that can only be averted through disclosure.[5] Other circumstances when protected health information is transmittable without consent include public health purposes, like disease control, child abuse, and scientific research.[1][3]

Clinical Significance

Protected health information is clinically relevant because the circumstances surrounding its disclosure shape the interactions between patients and healthcare providers. For instance, when a patient happens to be a celebrity, health care providers must balance the patient's privacy needs with the public's "right" to know.[1] The increasingly widespread use of new medical technology further complicates interactions between patients and healthcare providers with respect to PHI. For instance, despite the rise of 3D printing in clinical care, there are no legal provisions in HIPAA relating to the potential privacy implications of 3D printing.[6] There are also no HIPAA regulations that adequately cover the transmission of Protected Health Information via text message.[7] 

There are many ways that healthcare providers can take precautions to ensure that protected health information remains properly protected, to enhance patient care, and preserve patient safety, particularly concerning electronic storage and transmission of PHI. Some standard procedures include data masking, encryption, and deidentification. Encryption is the equivalent of locking data in a vault and preventing anyone without the necessary digital key or certificate from accessing it. Data masking is the replacement of sensitive data values with altered values that nonetheless preserve the utility of the data set as a reference source. Encryption is more useful when attempting to protect data during transmission, while data masking is most useful when sharing data with an external organization. Deidentification is the systematic removal of eighteen pieces of identifying information, ranging from names and telephone numbers to biometric identifiers like finger and voice prints.[8][9] Internet communications can be secured through protocols like Secure Socket Layer (SSL) and Transport Layer Security (TLS). Wi-Fi hotspots can be secured using virtual private networks (VPN) to protect data.[10] Maintaining adequate safeguards against the unauthorized dissemination of PHI is of paramount importance, given that the consequences of failing to do so range from financial penalties to imprisonment.[11]

Nursing, Allied Health, and Interprofessional Team Interventions

All members of the healthcare team carry the same responsibility when it comes to protecting PHI. This includes clinicians, nurses, pharmacists, therapists, techs, office personnel, and even other staff such as housekeeping and nutrition. That is why training and refresher courses on the topic of PHI are critical to patient privacy so that all members of the team can recognize PHI, know the boundaries involved, and identify, and if necessary, report breaches of patient privacy to the proper authorities.



Sasank Isola


1/30/2023 4:26:34 PM



Burkle CM,Cascino GD, Medicine and the media: balancing the public's right to know with the privacy of the patient. Mayo Clinic proceedings. 2011 Dec;     [PubMed PMID: 22134938]


Goldstein MM,Pewen WF, The HIPAA Omnibus Rule: implications for public health policy and practice. Public health reports (Washington, D.C. : 1974). 2013 Nov-Dec;     [PubMed PMID: 24179268]


Colorafi K,Bailey B, It's Time for Innovation in the Health Insurance Portability and Accountability Act (HIPAA). JMIR medical informatics. 2016 Nov 2;     [PubMed PMID: 27806923]


Bowman MA,Maxwell RA, A beginner's guide to avoiding Protected Health Information (PHI) issues in clinical research - With how-to's in REDCap Data Management Software. Journal of biomedical informatics. 2018 Sep     [PubMed PMID: 30017974]


Goldstein MM, Health information privacy and health information technology in the US correctional setting. American journal of public health. 2014 May;     [PubMed PMID: 24625160]


Feldman H,Kamali P,Lin SJ,Halamka JD, Clinical 3D printing: A protected health information (PHI) and compliance perspective. International journal of medical informatics. 2018 Jul;     [PubMed PMID: 29779716]

Level 3 (low-level) evidence


Drolet BC,Marwaha JS,Hyatt B,Blazar PE,Lifchez SD, Electronic Communication of Protected Health Information: Privacy, Security, and HIPAA Compliance. The Journal of hand surgery. 2017 Jun;     [PubMed PMID: 28578767]


Motiwalla L,Li XB, Developing Privacy Solutions for Sharing and Analyzing Healthcare Data. International journal of business information systems. 2013 Jan 1;     [PubMed PMID: 24285983]


Nettrour JF,Burch MB,Bal BS, Patients, pictures, and privacy: managing clinical photographs in the smartphone era. Arthroplasty today. 2019 Mar     [PubMed PMID: 31020023]


Filkins BL,Kim JY,Roberts B,Armstrong W,Miller MA,Hultner ML,Castillo AP,Ducom JC,Topol EJ,Steinhubl SR, Privacy and security in the era of digital health: what should translational researchers know and do about it? American journal of translational research. 2016;     [PubMed PMID: 27186282]


Vanderpool D, Hipaa-should I be worried? Innovations in clinical neuroscience. 2012 Nov;     [PubMed PMID: 23346520]