Is insurance information PHI? How to collect and update it securely

Estimated reading time: 7 minutes.

Summarize with ChatGPT

Insurance changes rarely announce themselves. A long-term client switches jobs in March, signs new HR paperwork, and doesn't realize they also need to update you. You find out in May, when their claim comes back denied, while you're catching up on Friday billing.

Now you're looking at weeks of sessions billed to an inactive plan, a list of resubmissions, and the awkward choice between writing off the balance, paying a biller to clean it up, or making the calls yourself.

In a 2017 CommonWealth Beacon piece, a Massachusetts clinician shared the story of a private practice colleague who was asked to repay $27,000 after insurance claims were reversed months later. While unusual, this case shows how insurance issues can snowball when coverage changes go unnoticed.

You can't prevent every insurance issue. But a consistent process for collecting and updating insurance information makes problems easier to catch before they turn into weeks of denied claims.

Under HIPAA, insurance information is considered protected health information (PHI), which means practices need a secure way to collect, send, and store it.

What helps here is just having a process in place. You need a secure way to collect insurance details, a small set of moments to proactively check in, and a habit of resending the form whenever a client's coverage changes.

"Insurance information might feel like billing data, but under HIPAA, it's PHI. Member IDs, group numbers, card images, and plan details are all tied to a person seeking care. That's exactly the kind of information HIPAA was written to protect."

Steven O. Youngman, VP of Legal and Compliance at Hushmail

Is insurance information PHI?

Yes, and not just the policy number.

Under HIPAA, PHI is any individually identifiable health information held or transmitted by a covered entity. That covers a lot more than chart notes. When you collect a member ID, a group number, a plan name, or a photo of an insurance card, you're holding information that ties a specific person to a specific health benefit. That's PHI.

Why accurate insurance information matters for your practice

Accurate insurance information does real work. When a claim comes back denied, it's often the first place to check.

A few specific reasons it matters:

• Benefits verification. Confirming you're in-network for a client's specific coverage. Most insurers offer multiple plan options, each with different benefits, copays, and deductibles. You need plan-level detail to know what gets covered.
• In-network vs. out-of-network. If you're not credentialed with a client's insurer, you're out-of-network for them. That changes how billing works (direct billing versus superbill) and how the client pays.
• Avoiding billing delays. Missing group numbers, outdated member IDs, or unclear card photos can slow claim submission.
• Preventing unnecessary admin work. Even small insurance issues can create extra calls, repeated follow-ups, billing delays, and additional work for solo or part-time practices.

Insurance changes more often than you'd think

Insurance changes don't always get mentioned right away. Clients may not realize a coverage change can affect therapy billing unless they're asked directly.

The changes themselves are pretty predictable. They tend to cluster around a small handful of moments:

• The start of a new calendar year. New plans take effect on January 1. Even if a client kept the same insurer, deductibles reset, and coverage details sometimes shift.
• Job changes. New employer, new insurance. This is one of the most common reasons billing issues start surfacing for an established client.
• Returning to therapy after a break. Whatever was on file before may not match what they're covered by now.
• Qualifying life events. Marriage, divorce, the birth of a child, or loss of a job all allow a person to enroll outside the normal window. Each one can change coverage.
• Open enrollment periods. Clients may change insurance plans during annual enrollment windows, especially if they buy coverage through the healthcare marketplace.

Sometimes the first sign that something changed is a denied claim. By then, sessions may already have been billed under outdated coverage, creating extra follow-up and administrative work.

This is why most of the work is on the front end. Build a few moments into your workflow where you ask the client directly, and you’re more likely to catch changes before they create problems.

Where insurance collection goes wrong

Most billing problems don't come from one big mistake. They usually come from a few small shortcuts that pile up over time.

How it usually happens:

• You ask for insurance details once at intake and never check again.
• You allow clients to text or email a photo of their card
• Clients send the front in one email and the back in another, two days later.
• You collect card images through an intake form that wasn't built with PHI in mind.
• Paper copies pile up in a folder somewhere "for now."

Each shortcut feels efficient at the moment. Stacked together, they create three patterns that quietly cost you time and money:

• Incomplete submissions. Missing information, outdated policy details, or partial card uploads create gaps that must be resolved before billing can move forward.
• Fragmented communication. Pieces of one client's insurance info scattered across email, text, paper, and notes.
• Repeated follow-ups. You’re asking clients for the same information multiple times because updates never fully land in one place.

What HIPAA requires for insurance information

HIPAA doesn't mandate a specific form builder, app, or email provider. It asks you to implement "reasonable safeguards" to protect PHI.

For insurance information specifically, that translates to a few practical principles:

• Protected in transit. The method a client uses to send you a member ID or card photo should be encrypted. Standard email and text messaging may not provide the protections needed for transmitting PHI securely.
• Stored securely. Wherever the information lives, whether that's your inbox, your practice management system, or a folder of forms, access should be protected and limited to the people who need it.
• A BAA with anyone who handles it. If a third-party platform collects, stores, or processes that data on your behalf, you need a Business Associate Agreement (BAA) on file.

"HIPAA doesn't tell you which form builder or email service to use. It asks you to protect PHI during transmission and ensure only the right people can access it. For insurance information, that usually comes down to one question: is the tool you're using secure and covered by a BAA?"

Steven O. Youngman, VP of Legal and Compliance at Hushmail

HIPAA gives practices flexibility in how they handle insurance information. But it's still your responsibility to choose tools and workflows that protect PHI.

A simple, secure workflow for collecting and updating insurance information

The workflow itself doesn't have to be complicated. The harder part is being proactive about when you ask, not what you ask.

At intake: one form.

Instead of spreading insurance details across a string of emails, send one secure intake form that captures everything you need in a single submission:

• Insurance details (member ID, group number, plan name, insurer phone)
• Front and back card photo uploads
• Emergency contact information
• Consent paperwork

When it all arrives together, you don't have to track down what's missing, and your client doesn't have to remember what they still owe you.

At the start of each year: schedule a check-in.

The first few weeks of January are when many new insurance plans and benefit changes take effect. Build the "has your insurance changed?" message into your calendar so it actually happens, not just in theory. If you also see private-pay clients, you can pair this with the year-start work you're already doing for them, like sending Good Faith Estimates or rate change notices. That way, the entire annual refresh becomes a single routine instead of a separate task.

After predictable life events: resend the form.

If a client mentions a new job, a divorce, a baby, or a return to therapy after a break, that's the moment to resend the form. You don't have to wait for a denied claim to find out something changed.

Store submissions in one secure place.

Wherever you store client information, the goal is a single secure location with access controls. Not scattered across email, paper, and sticky notes.

Your next step

You don't have to overhaul your whole intake process to make insurance collection easier. Pick one of these:

• Set up a secure intake form that includes insurance information, and send it to new clients going forward.
• Block a date on your calendar in early January to send active clients a quick “has anything changed with your insurance?” email along with a secure update form.

Both moves take less than an hour to set up and can save you admin headaches by catching an insurance change before it creates billing delays or claim issues.

For the client, the experience is simple. They get a notification with a link, complete the form on their phone or laptop, upload card photos, and they're done. No app to install, no special software to set up.

"A secure, consistent process for collecting and updating insurance information helps you catch changes earlier, before they turn into billing delays or denied claims. That's where compliance and good practice start to overlap."

Steven O. Youngman, VP of Legal and Compliance at Hushmail

Ready to collect insurance information securely?

Hushmail gives clients a secure way to submit insurance details and card photos via an encrypted channel, with everything delivered to your secure inbox.

Reviewed by: Steven O. Youngman, VP of Legal and Compliance, Hushmail.