← Glossary·Privacy

PHI (Protected Health Information)

HIPAA

Individually identifiable health information held or transmitted by a HIPAA covered entity or business associate.

Protected Health Information (PHI) is individually identifiable health information (in any form) created, received, maintained, or transmitted by a HIPAA covered entity or business associate. ePHI is the electronic subset and is subject to the Security Rule.

Why it matters
Touching PHI without a Business Associate Agreement (BAA) is a per se HIPAA violation, regardless of whether a breach occurs.

Related terms

ePHI
PHI in electronic form — the scope of the HIPAA Security Rule (45 CFR §164.302–318).
BAA (Business Associate Agreement)
HIPAA contract between a covered entity and a business associate handling PHI; mandatory under 45 CFR §164.504(e).
HIPAA
US law protecting PHI; Privacy, Security, and Breach Notification Rules apply to covered entities and business associates.
Minimum Necessary Standard
HIPAA principle (45 CFR §164.502(b)) requiring use/disclosure of only the minimum PHI needed for the purpose.

Does your program actually cover PHI (Protected Health Information)?

Run a free ComplianceIQ audit against HIPAA and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free HIPAA auditBack to glossary