Protecting Protected Health Information (PHI): What You Need to Know
By Lauren Simonelli and Lina Collazos

Compliance and Ethics Week 2025 is officially here, and this year, we are focusing on Protecting Protected Health Information (PHI). During times of change, patients become more vulnerable than before. Chief among their vulnerabilities is the risk that their Protected Health Information may be used in scams or improperly handled during organizational changes, provider updates, and regulatory changes.
When you work in healthcare—whether in a hospital, a physician’s office, or a medical supply company—you’re entrusted with sensitive patient information every day. The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule establishes the national standard for protecting PHI data.
What is Considered PHI under HIPAA?
PHI is any information about a patient’s health, healthcare, or payment for healthcare that can identify the individual and link their Personally Identifiable Information (PII) to a medical diagnosis. This includes:
- Medical records and charts
- Billing information
- Lab results
- Insurance details
- Conversations about a patient’s care
- Demographic data (name, address, birth date, Social Security Number)
If the information relates to a patient’s physical or mental health, the care they receive, or payment for that care—and it can be linked to them—it’s PHI. Oral conversations, such as voicemails, and electronic communications, like email or even text messages, count. Employment records held by a provider in their role as an employer, and certain educational records, are not considered PHI.
Permissible Uses and Disclosures of PHI
HIPAA doesn’t mean you can never share PHI, but it does mean you must do so responsibly. Here are the main situations where PHI can be used or disclosed without patient authorization:
- Treatment, Payment, and Healthcare Operations: Sharing PHI for patient care, billing, or administrative tasks.
- To the Individual: Patients have the right to access their own PHI.
- With Opportunity to Agree or Object: For example, sharing information with family members involved in care, if the patient agrees.
- Public Interest and Benefit Activities: Reporting certain diseases, abuse, or threats to public safety.
- Required by Law: Court orders, law enforcement requests, or other legal requirements.
For anything outside these situations—such as marketing, research, or sharing with third parties—a written patient authorization is required; verbal consent alone will not suffice.
Practical Do’s and Don’ts for Patient Interactions
Protecting PHI isn’t just about policies—it’s about your daily actions. Here’s a quick guide:
Do
- Speak quietly and privately when discussing patient information.
- Verify identity before sharing PHI (ask for ID or use secure portals).
- Limit access to PHI to only those who need it for their job.
- Confirm the patient consented to sharing their PHI.
- Store paper records securely (locked cabinets, or in a closed file, not left on desks).
- Log out of electronic health records when you step away (lock your PC when you’re not at your desk).
- Dispose of PHI properly (shred paper, delete electronic files securely).
Don’t
- Don’t discuss patient details in public areas or with anyone who does not work with or have written consent from the patient (hallways, elevators, cafeterias).
- Don’t leave PHI visible on computer screens or paperwork.
- Don’t share PHI via unsecured email or messaging apps.
- Don’t access PHI out of curiosity—only for legitimate work reasons.
- Don’t share passwords or access credentials.
Protecting PHI is everyone’s responsibility! By following these practical steps, you help maintain patient trust and comply with HIPAA. For more details, visit the official Health and Human Services (HHS) HIPAA Privacy Rule resource: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.

