What patient information do we need to protect?

When people say protected health information (often shortened to PHI), they mean details that identify someone and connect to their health, treatment, or payment for care.

You do not need to recite a legal checklist at the front desk. You do need a gut sense: If a stranger could figure out who the patient is and learn something about their health or billing, you should protect it.

Everyday examples in a practice

Think about:

• The schedule with patient names and visit reasons on screen.
• A lab result left on a printer.
• Insurance cards copied for billing.
• Phone messages about test results.
• Whiteboards with initials and room numbers that still make patients identifiable in context.

Even verbal updates in a hallway, "Mrs. Lee's MRI came back fine", can be a problem if others overhear.

The "identifiers" idea (without memorizing 18 items)

Regulations list many types of identifiers (name, address pieces, dates, phone numbers, and more). In practice, ask: Could someone use this piece of data, plus what we already show in the waiting room, to know exactly who we mean? If yes, slow down and protect it.

What about information with no name on it?

If data is stripped of identifiers using approved methods, it may no longer be PHI. That is a specialized process, do not assume removing a name is enough. Your privacy officer handles formal de-identification.

Paper, voice, and electronics all count

HIPAA is not an "electronic-only" rule. A paper intake form in a basket, a sticky note with a callback number and diagnosis, or a whiteboard in a shared break room can all create risk.

What vendors should remember

If your product stores names, clinical values, insurance IDs, or appointment metadata for a healthcare customer, assume you are handling PHI until counsel says otherwise, and expect BAAs and security controls to be non-negotiable.