Back to glossary


In the context of data protection, protected health information (PHI) means:

  • An individually identifiable record, 
  • created by a HIPAA 'covered entity' (typically healthcare service providers or companies that process electronic health records),
  • which relates to a person's health status, health care, or payments. 

This data is considered sensitive, and HIPAA obligates organizations to keep it secure. 

PHI is a subset of personally identifiable information (PII). Examples of PHI are medical records, treatment plans, diagnoses, test results, and billing information. 

HIPAA details standards for protecting PHI. Among other obligations, organizations are required to demonstrate adequate cybersecurity measures to prevent PHI data from leaking, as well as their ability to manage risk related to vendors and 3rd party service providers. Covered entities need to perform a risk assessment before engaging in new business with an external vendor.