medcomply.ai
Intel
The HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy RuleThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy Rule
Beginnerfront deskpractice managerprovidervendor

What patient information do we need to protect?

Understand what counts as protected health information in a real office — not just charts, but conversations, schedules, and more.

TL;DR

If information identifies a patient and relates to health, care, or payment for care, treat it as sensitive. That includes names plus diagnoses, appointment lists, insurance details, and much more.

Updated 2026-04-21

When people say protected health information (often shortened to PHI), they mean details that identify someone and connect to their health, treatment, or payment for care.

You do not need to recite a legal checklist at the front desk. You do need a gut sense: If a stranger could figure out who the patient is and learn something about their health or billing, you should protect it.

Everyday examples in a practice

Think about:

  • The schedule with patient names and visit reasons on screen.
  • A lab result left on a printer.
  • Insurance cards copied for billing.
  • Phone messages about test results.
  • Whiteboards with initials and room numbers that still make patients identifiable in context.

Even verbal updates in a hallway—"Mrs. Lee's MRI came back fine"—can be a problem if others overhear.

The "identifiers" idea (without memorizing 18 items)

Regulations list many types of identifiers (name, address pieces, dates, phone numbers, and more). In practice, ask: Could someone use this piece of data, plus what we already show in the waiting room, to know exactly who we mean? If yes, slow down and protect it.

What about information with no name on it?

If data is stripped of identifiers using approved methods, it may no longer be PHI. That is a specialized process—do not assume removing a name is enough. Your privacy officer handles formal de-identification.

Paper, voice, and electronics all count

HIPAA is not an "electronic-only" rule. A paper intake form in a basket, a sticky note with a callback number and diagnosis, or a whiteboard in a shared break room can all create risk.

What vendors should remember

If your product stores names, clinical values, insurance IDs, or appointment metadata for a healthcare customer, assume you are handling PHI until counsel says otherwise—and expect BAAs and security controls to be non-negotiable.

Keep reading

Next in your reading path → What are we actually allowed to say about patients?

Not legal advice. Educational overview only; consult qualified counsel for your situation.