The full definition
Under HIPAA, PHI is any health-related information that can be tied to a specific individual. The 18 HIPAA identifiers include name, geographic data, dates (DOB, admission, discharge), phone, email, SSN, medical record number, health plan number, account numbers, license numbers, vehicle identifiers, device serial numbers, URLs, IP addresses, biometrics, photos, and any other unique identifier. PHI requires HIPAA's privacy and security safeguards.
Why it matters in practice
The mistake practices make: they treat names and DOBs as 'not really PHI' since they're not clinical. Under HIPAA, name + the fact of being a patient is PHI. A marketing form that captures 'I'm interested in your IOP program — my name is John Smith, my phone is X' is PHI. The CRM holding that data needs to be HIPAA-aligned with a BAA.
Real-world examples
- Name and phone number on an intake form for behavioral health services
- Appointment confirmation SMS that includes the patient's name and the provider's specialty
- Insurance card photo uploaded during patient registration
Inside Velant
Velant treats every data point in the system as potential PHI — encrypted in transit and at rest, role-based access, audit logged.
Related terms
- BAA (Business Associate Agreement)A HIPAA-required contract between a covered entity (a healthcare provider) and any third-party vendor that handles PHI on their behalf.
- HIPAA-Compliant CRMA customer relationship management system designed to handle Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996.
- TCPA (Telephone Consumer Protection Act)A 1991 federal law restricting commercial telemarketing calls, automated text messages, and prerecorded voice messages — heavily enforced through class-action lawsuits.