All courses > Health > Nursing ::

HIPAA Compliance for Healthcare Staff: What Counts as Protected Health Information (PHI)

Capítulo 1

Estimated reading time: 7 minutes

PHI vs. Non-PHI: The Practical Definition

Protected Health Information (PHI) is individually identifiable health information that relates to a person’s past, present, or future physical or mental health, the care they receive, or payment for that care—and that can identify the person (directly or indirectly). PHI can be spoken, written, printed, or electronic.

In daily work, the key question is not “Is this medical?” but “Could this reasonably point to a specific patient when combined with what’s being shared?”

What makes information “identifiable”?

Information is identifiable when it includes a direct identifier (like a name) or when a combination of details could allow someone to figure out who the patient is (for example, “the mayor’s wife in room 412 who had a stroke this morning”).

Non-PHI (what it is and what it isn’t)

Non-PHI is information that does not identify a patient and is not linked to an identifiable person’s health care or payment. Examples include:

General education: “High blood pressure can increase stroke risk.”
De-identified or truly anonymous data: “We saw 18 flu cases last week” (when no one can reasonably identify the individuals).
Operational info without patient linkage: “The CT scanner is down for maintenance.”

Important nuance: A diagnosis by itself may be non-PHI in a textbook. But in a hospital hallway, “the patient with HIV in room 12” can become PHI because it links health information to an identifiable person/location.

Continue in our app.

Listen to the audio with the screen off.
Earn a certificate upon completion.
Over 5000 courses for you to explore!

Or continue reading below...

Download the app

Common PHI Elements You’ll See Every Day

PHI often appears as a mix of identifiers and care/payment details. Treat the following as PHI when connected to a patient:

Names (full name, last name, initials when context identifies the person)
Medical record numbers (MRNs) and account numbers
Dates tied to care (visit dates, admission/discharge dates, procedure dates)
Diagnoses and clinical details (problem lists, test results, medications, allergies, imaging findings)
Room numbers or bed assignments when linked to care (e.g., “Room 8 is detoxing”)
Photos and images (patient face photos, distinctive tattoos, wound photos that can identify a person)
Device identifiers (implant serial numbers, device IDs, monitor screenshots with identifiers)
Billing and payment information (insurance member IDs, claims forms, payment status tied to a person)
Contact details (address, phone, email) when linked to health care

Quick rule of thumb

If it answers any of these about a specific person, it’s likely PHI: Who they are, where they are receiving care, what care they’re receiving, or how it’s being paid for.

Where PHI Shows Up in Everyday Clinical Work (and How It Leaks)

1) Bedside care

Common PHI sources: wristbands, bedside monitors, medication labels, care plans, rounding notes, patient charts on computers-on-wheels.

Typical risk moments: visitors in the room, roommates/curtain gaps, screens facing outward, speaking louder than necessary.

2) Hallway conversations

Common PHI sources: shift handoff “in passing,” quick consults, updates to colleagues while walking.

Typical risk moments: discussing names/diagnoses where other patients, visitors, or non-involved staff can overhear.

3) Whiteboards and door signs

Common PHI sources: patient names, procedure schedules, test results, “NPO,” “fall risk,” “isolation,” or diagnosis-specific notes.

Typical risk moments: boards visible from hallways; including more detail than needed for care coordination.

4) Lab labels and specimen handling

Common PHI sources: specimen labels with name, DOB, MRN; requisitions; barcode stickers; transport bags.

Typical risk moments: labels left on counters, printers, tubes in open bins, requisitions placed face-up.

5) Discharge papers and after-visit summaries

Common PHI sources: diagnosis, medications, follow-up appointments, provider names, patient identifiers.

Typical risk moments: papers handed to the wrong person, left in waiting areas, placed in open trash.

6) Billing forms and insurance workflows

Common PHI sources: patient identifiers plus services rendered, diagnosis codes, claim details.

Typical risk moments: discussing balances or coverage in public areas; leaving forms on shared printers.

PHI vs. Non-PHI: Side-by-Side Examples

Example	PHI?	Why
“Mr. Lopez in room 14 has pneumonia.”	Yes	Name + location + diagnosis identifies a patient.
“Room 14 has pneumonia.”	Usually yes	Room number can identify a patient in a facility context.
“Pneumonia is often treated with antibiotics.”	No	General education, no patient linkage.
Lab tube labeled with name + MRN	Yes	Direct identifiers.
De-identified tally: “10 pneumonia admissions this week.”	No (if truly non-identifiable)	Aggregate data without identifiers.
Photo of a wound that includes a face or unique tattoo	Yes	Image can identify the person.
Insurance member ID tied to a patient	Yes	Payment information linked to an individual.

Paired Scenarios: Compliant vs. Non-Compliant Behaviors

Scenario Pair 1: Elevator conversation

Non-compliant: Two staff members discuss, “Did you see that patient in 6B with pancreatic cancer? His CT looked terrible,” in a public elevator with visitors present.

Compliant: They wait until they are in a private team room (or a secure clinical area where only involved staff are present) and speak in a normal tone, sharing only what the team needs for care.

Scenario Pair 2: Whiteboard visibility

Non-compliant: A hallway-facing whiteboard lists “Jane S. – STI treatment – follow-up labs Friday.”

Compliant: The board uses minimal necessary operational info (e.g., first name/initial per facility policy or a non-identifying code) and keeps sensitive details in the chart; the board is positioned/covered to reduce public visibility.

Scenario Pair 3: Printer and labels

Non-compliant: A staff member prints lab labels and leaves them on the shared printer while stepping away.

Compliant: Print only when ready to pick up immediately; retrieve labels right away; place extras in a designated secure shred bin (not regular trash).

Scenario Pair 4: Bedside screen positioning

Non-compliant: A workstation screen displays the patient’s chart facing the doorway while the clinician steps out to grab supplies.

Compliant: The clinician locks the screen before stepping away and positions monitors so passersby cannot easily view patient details.

Scenario Pair 5: Discharge paperwork handoff

Non-compliant: Discharge papers are called out by diagnosis in the waiting area: “COPD discharge for Robert!” and handed to the first person who approaches.

Compliant: Use a neutral call (or approach the patient directly), verify identity using facility-approved identifiers, and hand papers discreetly.

10-Second Practice Checks Staff Can Apply Immediately

Use these quick checks before you speak, show, print, or leave information visible. Each can be done in under 10 seconds.

Check 1: “Could someone identify the patient from this?”

If yes (name, room, unique story, photo, MRN), treat it as PHI.
If maybe, assume PHI and reduce details or move to a private setting.

Check 2: “Am I sharing the minimum necessary for the task?”

Share only what the listener needs to do their job right now.
Drop extra details (full name, full diagnosis list, unrelated history) unless required.

Check 3: “Who can hear or see this right now?”

Look around: visitors, other patients, open doors, hallway traffic, speakerphone.
If the audience isn’t involved in care/payment operations, relocate or lower detail.

Check 4: “Is this left behind?”

Before walking away: lock screens, collect printouts, flip papers face-down, clear label backlogs.
Dispose of PHI only in approved secure bins.

Check 5: “Does this include an image or device identifier?”

Photos, screenshots, monitor strips, and device IDs can identify patients.
Confirm you’re using approved tools and storing/transmitting per policy.

Step-by-Step: A Fast PHI Spotting Routine

When you encounter any information (spoken, paper, screen, label), run this quick routine:

Identify the data type: name/MRN? date of visit? diagnosis? photo? room/bed? billing/insurance?
Check linkage: Is it tied to a specific person (directly or by context like location or unique details)?
Decide the setting: Is this a private clinical space with only involved staff? If not, move or reduce details.
Apply minimum necessary: Share only what’s needed to complete the task.
Secure it: lock, cover, collect, or place in secure disposal—before you step away.

Micro-Examples You Can Copy in Real Life

Safer phrasing in semi-public areas

Instead of: “John Smith’s biopsy came back malignant.”
Use: “I have an update on your patient’s results—can we step into the team room?”

Safer handling of room/bed references

Instead of: “Room 22 is withdrawing and needs restraints.”
Use: “I need assistance with a safety issue in 22—details in the room/team area.”

Safer printing behavior

Print only when you can immediately retrieve.
Stand by the printer; verify pages; remove cover sheets with identifiers; secure or shred misprints.

Now answer the exercise about the content:

Which statement best applies the practical rule for deciding whether information should be treated as Protected Health Information (PHI) in daily work?

You are right! Congratulations, now go to the next page

You missed! Try again.

PHI is individually identifiable health information. Even without a name, details like room/bed, unique context, or images can identify someone when combined, so they should be treated as PHI.