Protected health information, universally abbreviated as PHI, is the category of data regulated under HIPAA. It covers any information that could be used to identify an individual in the context of their healthcare: medical diagnoses, treatment records, lab results, prescription history, appointment dates, billing records, and health insurance information. What makes information "protected" is the combination of a health-related element and an identifying element.
The HIPAA Privacy Rule identifies eighteen specific identifiers that, when combined with health information, constitute PHI. These include obvious ones like names, addresses, and Social Security numbers, but also less obvious ones like dates of birth, geographic information smaller than a state, device identifiers, IP addresses, biometric identifiers, and full-face photographs. This breadth reflects the reality that health data can often be re-identified from seemingly innocuous demographic information.
PHI can exist in any medium: electronic (ePHI), paper, and verbal. The Security Rule, which governs technical and administrative safeguards, specifically applies to ePHI. Any digital system that stores, transmits, or processes ePHI must implement appropriate safeguards, including encryption at rest and in transit, access controls, audit logging, and breach detection and notification procedures.
For technology teams building healthcare products or integrating with healthcare organizations, the first practical question is whether their system will ever touch PHI. If it will, every architectural decision, from cloud provider selection to database design to API authentication, must account for PHI handling requirements from the start. Retrofitting HIPAA compliance into a system designed without it is significantly more expensive and risky than building it in from day one.