Compliance & Security
Protected Health Information (PHI)
Protected Health Information (PHI) is any individually identifiable health information that is created, received, stored, or transmitted by a covered entity or its business associates. Under US HIPAA, PHI is the precise category of data the law protects — and knowing exactly what counts as PHI is fundamental to building compliant healthcare software. When PHI exists in electronic form it is called ePHI, and it triggers the technical safeguards of HIPAA's Security Rule. For engineering teams, PHI is the data you must encrypt, access-control, log, and handle under contract at every step.
What makes information PHI
Information becomes PHI when it combines health-related data with something that can identify the individual. HIPAA enumerates 18 identifiers — including name, address, dates tied to the person, phone and email, Social Security and medical record numbers, biometric identifiers, full-face photographs, and any other unique identifying code. A blood pressure reading on its own is just data; attached to a named patient with a date of service, it is PHI. This is why de-identification — stripping or obscuring those identifiers — is the key to using health data for analytics and AI training without the full weight of PHI rules.
PHI, ePHI, and where it lives
In modern systems PHI is almost always electronic (ePHI) and surprisingly pervasive. It lives in the obvious places — the EHR, databases, FHIR API responses — but also in logs, backups, analytics events, support tickets, error traces, message queues, and increasingly in prompts and responses sent to AI models. A common compliance failure is PHI leaking into a system never designed to hold it, such as an application log or a third-party analytics tool. Mapping where PHI flows across your entire architecture is a foundational security exercise, not a one-off audit task.
Handling PHI responsibly
Responsible PHI handling means minimisation and protection. Collect only the PHI you genuinely need; encrypt it in transit and at rest; enforce least-privilege access with strong authentication; log every access for audit; and ensure every party that touches it — cloud providers, AI vendors, subprocessors — is bound by a Business Associate Agreement or equivalent. When building AI features, pay special attention to whether PHI is sent to external models, whether it could be retained or used for training, and whether de-identified or synthetic data could serve the purpose instead.
PHI beyond the US
PHI is a HIPAA term, but the concept of specially protected health data is global. Under UK GDPR and the EU GDPR, health data is a 'special category' of personal data subject to heightened protection. The identifiers and obligations differ in detail, but the engineering response is the same: treat identifiable health data as among the most sensitive you hold, design systems to protect and minimise it, and ensure a lawful basis and appropriate contracts before processing. A product serving multiple markets should build to the strictest applicable standard.
Frequently asked questions
What are the 18 HIPAA identifiers?
They are the data elements that, combined with health information, make it identifiable — including name, geographic and date details, phone, email, Social Security number, medical record number, biometric identifiers, full-face images, and other unique codes. Removing all 18 is one route to de-identifying data.
Is de-identified data still PHI?
Properly de-identified data is no longer PHI under HIPAA, which is why de-identification is so useful for analytics and AI. But de-identification must be done rigorously — weak anonymisation that allows re-identification does not remove the obligations.
Can PHI be sent to AI models?
Only under appropriate safeguards. The AI provider must be covered by a Business Associate Agreement, the data must be protected in transit and at rest, and you must control retention and training use. Often, de-identified or synthetic data is a safer choice where the use case allows.
Need to handle PHI safely across your stack and AI features? We design compliant data architectures from the ground up. Book a discovery call.