Protected Health Information (PHI) Q2-2022

  • PHI is any information that applies to a health condition now, in the past, or in the future
  • If health information includes data that would let somebody identify the patient, it is classified as PHI (18 elements total):

Minimum Necessary Information

  • The minimum necessary information is the least information you need to do your job.
    • Access only the information you need
    • Only use the information to do your job
    • Limit the information you share with a person to only what he or she needs to know to do their job


  • As compliance analyst we focus on the following rules
  • HIPAA Privacy Rule –The use and disclosure of the PHI. Applies to only covered entities. Focuses on all format of PHI ( paper, verbal and electronic). Privacy rules are issued by HHS
  • HIPAA Security Rule – Protects the privacy of electronic protected health information (e-PHI).Ensures the CIA of the e-PHI. It is focused on more on the electronic format of the PHI.
  • The HIPAA requirement flow : Security Rule/Security Safeguard/Standard/Section/Require or Addressable
  • A covered entity or business associate must comply with a required implementation specification must.  For example, all covered entities and business associates including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.
  • For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization decides if it will:
    • Implement the addressable implementation specification as stated;
    • Implement an equivalent alternative measure that allows the entity to comply with the standard; or,
    • Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.
