What Is Protected Health Information (PHI)?
Protected Health Information (PHI) is defined under HIPAA as any individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate in connection with healthcare provision or payment. PHI includes 18 specific identifier categories — any one of which, combined with health information, creates a HIPAA-protected record.
The 18 categories include: names, geographic data smaller than a state, dates directly related to an individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate and license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying numbers or codes.
PHI in Revenue Cycle Management
The entire RCM workflow is a PHI handling operation. Every claim contains the patient's name, date of birth, insurance ID, diagnosis codes, procedure codes, and service dates — a complete PHI set. Eligibility verification queries contain demographic and coverage PHI. Prior authorization requests contain clinical PHI. EOBs and ERAs contain payment PHI linked to individual patient accounts.
This means every vendor, system, and workflow touching any part of the revenue cycle handles PHI and must operate within HIPAA's requirements. Business Associate Agreements (BAAs) must be executed with every third-party vendor — clearinghouses, billing software, automation platforms, cloud infrastructure — that processes PHI on behalf of the covered entity.
Electronic PHI (ePHI) and Security Requirements
ePHI is PHI created, stored, transmitted, or received electronically. The HIPAA Security Rule requires three categories of safeguards:
- Administrative safeguards: Policies governing workforce access, training, and incident response
- Physical safeguards: Controls over physical access to systems and facilities where ePHI is stored
- Technical safeguards: Access controls, audit logs, encryption in transit and at rest, and automatic logoff on ePHI-handling systems
Encryption of data in transit (TLS 1.2+ minimum) and at rest (AES-256 standard) is the baseline requirement for any compliant ePHI system — including every platform in your RCM technology stack.
Common PHI Breach Risks in RCM
The most common PHI breach scenarios in RCM include: misdirected faxes containing patient information, unencrypted email transmission of claim data, improper disposal of paper EOBs, unauthorized access to billing systems, and vendor breaches where a business associate's infrastructure is compromised. Each represents both a HIPAA compliance failure and a direct patient harm risk.
PHI Handling in Automation Workflows
HIPAA-compliant RCM automation requires all PHI processed by automated workflows to be transmitted over encrypted connections, stored in HIPAA-compliant infrastructure, access-controlled to minimum necessary data, and fully audit-logged. Our RCM automation solutions are built with these requirements as design constraints, not afterthoughts. Contact us to review your PHI handling architecture.
.png)
.png)
.png)
