Compliance
What counts as PHI? What small practices get wrong
Estimated reading time: 8 minutes
Summarize this article with ChatGPT
Quick scenario check. Which of these count as PHI?
- You send a client an email: "Hi John, confirming your therapy appointment at 3 PM Thursday."
- A prospective client emails you through Psychology Today: "I've been dealing with panic attacks and want to know if you take Blue Cross."
- You add "J.S. - 3 PM" to your work Google Calendar.
All three are PHI. And you're not alone if that surprises you. Most small practice providers think of PHI as clinical notes, diagnoses, or treatment records.
The reality is much broader, and misunderstanding the scope of PHI is one of the most common compliance gaps in solo and small-group practices.
"PHI has a much broader legal definition than most people expect. It's not limited to clinical notes or diagnoses. It covers any personally identifiable information related to healthcare, which includes plenty of everyday communication."
Steven O. Youngman, VP of Legal and Compliance at Hushmail
Let's walk through what PHI actually includes, clear up some common misconceptions, and give you a simple mental model you can use going forward.
TL;DR: PHI is any information that identifies a person and relates to their health, healthcare, or payment, when handled by a provider or business associate.
- PHI applies even before someone becomes a client
- Appointment reminders and scheduling messages are still PHI
- Initials and other partial identifiers can still identify someone
- Removing names alone does not make information de-identified under HIPAA
- If a tool handles PHI on your behalf, you need a Business Associate Agreement (BAA)
Simple rule: If you can identify the person, connect the information to care, and you're handling it as a provider, treat it as PHI.
What is PHI?
Under the HIPAA Privacy Rule, PHI is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate.
Before we go deeper, here's a quick way to think about PHI. Ask yourself three questions:
- Can the person be identified?
- Does the information relate to health, healthcare, or payment?
- And are you handling it in your role as a provider?
👉 If the answer to all three is yes, it should be treated as PHI.
PHI is any information that:
- Identifies a person, or could be used to identify them
- Relates to their past, present, or future health, healthcare services, or payment for healthcare
- Is held or transmitted by a covered entity or business associate
That last part matters. Your neighbor mentioning their back pain at a barbecue is not PHI. But the moment that same information sits in your inbox, your scheduling tool, or your voicemail, it becomes PHI because you're holding it as a healthcare provider.
Here are some examples that catch providers off guard:
| Scenario | Why it's PHI |
|---|---|
| A voicemail confirming an intake appointment | Identifies the caller + connects them to a healthcare service |
| A client's name on your therapy schedule | Name + connection to receiving therapy |
| An email confirming an appointment time | Identifies the person + healthcare context |
| A prospective client emailing about symptoms | Health information + identifiable person, even before intake |
| A billing record showing a co-pay | Payment for healthcare + identifiable individual |
For more on voicemails specifically, check out our guide to HIPAA-compliant voicemails.
The 18 HIPAA identifiers
For reference, here are the 18 types of identifiers that must be removed under the Safe Harbor method:
- Names
- Geographic data smaller than a state
- Dates (except year) related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers
- Full-face photographs and comparable images
- Any other unique identifying number or code
🚨 Remember: If a derivative of an identifier could reasonably be used to identify the person, it is still considered identifiable under HIPAA. Initials derived from a name, a partial date of birth, or a truncated Social Security number are still identifiers.
Does PHI only apply after someone becomes a client?
No. This is one of the most common misunderstandings, and it comes down to one word: future.
Under HIPAA, PHI includes information related to past, present, or future healthcare services. When someone shares identifiable information in connection with seeking care, it can qualify as PHI even before a formal client relationship exists.
"The keyword here is 'future'. Even if a person isn't a client yet, the fact that they're contacting you about future healthcare services makes you responsible for protecting their PHI."
Liath Dalton, Director, Person Centered Tech
Imagine this: someone finds your profile on Psychology Today and sends you a message. They share their name, mention they've been experiencing panic attacks, and ask whether you accept their insurance. You're responsible for protecting that information, even though you've never met this person.
Are appointment reminders PHI?
Yes. Even without a single clinical detail. "Hi John, confirming your 3 PM appointment on Thursday" connects an identifiable person to the fact that he's receiving services. Under HIPAA, the connection to a healthcare provider is itself a health-related context.
💡 Hushmail tip: You can still send reminders by email. Clients can request that certain low-risk messages, such as appointment reminders, be sent via regular email. This is sometimes referred to as a "HIPAA waiver," but it's actually a Request for Alternative Communication. It doesn't exempt you from HIPAA. It means your clients are making an informed, documented choice about how they receive certain PHI.
With Hushmail, you can toggle encryption on or off per message to honor these requests, and your BAA covers you either way.
Are initials considered de-identified?
No. Any part or derivative of an identifier is still an identifier under HIPAA.
So "J.S. – 3 PM" in your Google Calendar? That's still PHI. The initials are derived from the client's name, and they're sitting in a tool that connects them to a healthcare appointment with you. If a tool that stores identifiable client information does not offer a BAA, that creates a compliance risk. You don't need to become a privacy lawyer, just recognize that abbreviations derived from client info are still PHI.
"Using initials doesn't remove the identifier. Under HIPAA, any part or derivative of an identifier still counts. If those initials in your calendar can be connected to a real person receiving healthcare services, you're still looking at PHI."
Steven O. Youngman, VP of Legal and Compliance at Hushmail
In other words, the information hasn't been de-identified. It has only been abbreviated. If the initials or shortened details can still be connected to a specific person receiving care, the information remains identifiable and is still considered PHI under HIPAA.
What does HIPAA actually mean by de-identification?
This is where things get a little more technical, but it's worth understanding because the terms "anonymization" and "de-identification" are often used interchangeably, and they shouldn't be. Under HIPAA, de-identification has a specific legal meaning, and the bar is higher than most people expect.
HIPAA recognizes two methods for de-identification:
- The Safe Harbor method, which requires removing all 18 identifiers and ensuring there is no reasonable basis to identify the individual.
- The Expert Determination method, which involves a qualified expert assessing the risk of re-identification, as outlined in HHS guidance.
| HIPAA De-Identification Method | What it means | Key takeaway |
|---|---|---|
| Safe Harbor | Remove all 18 HIPAA identifiers (and any derivatives). No one with access should be able to identify the person. | Removing names alone is not enough. |
| Expert Determination | A qualified expert assesses the data and confirms that the risk of re-identification is very small. | Requires expert validation, not just a quick fix. |
This comes up often with transcripts. Providers sometimes record therapy sessions (with consent), then remove the client's name and assume the transcript is de-identified. But if it still contains details—alone or in combination with other available data—that could be linked back to an individual, such as a specific life event, a description of their family, or a reference to their workplace, it's still PHI. Context matters. If someone could reasonably recognize the individual from the content, it has not been de-identified.
"Transcripts are a common blind spot. Providers remove the client's name and feel like they've done enough, but if the content includes details that could enable someone to identify the person, the transcript is still PHI."
Steven O. Youngman, VP of Legal and Compliance at Hushmail
📌 Key takeaway: For most small practices, what matters is understanding that the bar is high. Removing names alone does not make something de-identified under HIPAA.
Third-party tools and your responsibility
Now that you know appointment reminders, calendar entries, and pre-intake emails all count as PHI, here's the practical question: do the tools you're using to handle this information have BAAs?
Under HIPAA, any software company or service provider that creates, receives, maintains, or transmits PHI on your behalf is a business associate. That means you need a signed Business Associate Agreement (BAA) with them. This includes any platform where identifiable health-related information lives:
- Your email provider
- Your calendar app
- Your scheduling tool
- Your EHR or practice management system
- Any other software that stores or transmits client information
If a tool handles PHI and there's no BAA in place, that creates a compliance gap, even if the tool itself is secure.
💡 Hushmail tip: Every Hushmail plan includes a signed BAA, so you're covered for secure email and web forms from day one. Learn more in our BAA guide.
A simple mental model for PHI
When you're unsure whether something is PHI, run through this quick check:
| Question | What to ask yourself |
|---|---|
| 1. Can the person be identified? | Does the information include a name, initials, email address, phone number, or any other identifier (or derivative)? |
| 2. Does it relate to health, healthcare, or payment? | Is there a connection to a health condition, a healthcare service, or payment for care? |
| 3. Are you holding it as a provider? | Are you receiving, storing, or sending this information in your role as a healthcare provider? |
👉 If the answer to all three is yes, treat it as PHI. All three conditions need to be present. That's what separates PHI from ordinary personal information or general health content.
You don't need to memorize every HIPAA regulation to get this right. This mental model covers the vast majority of situations you'll run into in daily practice.
Your next step
Take a few minutes to look at how you handle three things: pre-intake emails, appointment reminders, and calendar entries. Are those tools covered by BAAs? If not, that's a clear place to start.
Hushmail gives you HIPAA-compliant email with a signed BAA, built for healthcare providers who want to do the right thing without overcomplicating their workflow. It covers you from first contact onward, including those early exchanges that happen before someone officially becomes your client.
"Once you understand how broad PHI is, everything else gets simpler. You stop second-guessing which messages need protection, you pick the right tools, and you make compliance part of your routine instead of something you worry about."
Steven O. Youngman, VP of Legal and Compliance at Hushmail
For a broader look at your compliance setup, check out our HIPAA checklist.
And if you're ready to simplify your secure communication workflow?
Reviewed by: Steven O. Youngman, VP of Legal and Compliance at Hushmail
.jpg?noresize&width=460&name=HIPAA%202021%20(2).jpg)