What Is PHI, really? A detailed definition

In Chapter 2 of the video course, I give a quick definition of PHI: basically, if it’s about your client, it’s PHI. It’s been my experience that professional therapists take to this concept easily because client confidentiality is drummed in to our heads from day one of grad school. Any therapist who has made it past graduate school has probably integrated a strict and thorough definition of confidentiality that protects ALL client information.

But let’s give the word a more thorough definition here, just in case someone is looking for clarification of some particular nuance.

Protected health information means individually identifiable health information that is transmitted or maintained in any form, including electronic media. The key concept here is “individually identifiable.” My clients’ name plus their appointment time, that’s PHI. My client’s name tied to me as a provider: that’s PHI. My client’s email address tied to me as a provider: also PHI. It is important that we recognize that just like no therapist would stand in the middle of a restaurant and recite the email addresses of all their clients, neither should we fail to protect those email addresses from email providers, internet providers, etc.

Other aspects of a clients’ medical record with a therapist might include: diagnosis, prognosis, contact information, appointment times/history, texts, financial records like amount owed or paid and when, and of course case management notes, progress notes, and psychotherapy notes. All of these things are PHI.

There are some exclusions to the HIPAA definition of PHI, which I will detail only briefly, since most of them won’t affect private practice therapists, and they can be confusing.

HIPAA-defined PHI excludes student records as covered by the Family Educational Rights and Privacy Act (FERPA,) student medical records maintained by colleges and universities, and employment records held by a covered entity employer. (note that FERPA exclusions don’t exempt covered entities from security requirements, just privacy records.)