What is PHI? A Simple Guide for Therapists

Therapists work with extremely sensitive client information every day. Session notes, treatment details, billing records, and even appointment schedules all contain private data about a person’s health.

Because of this, the Health Insurance Portability and Accountability Act (HIPAA) require healthcare professionals to follow strict rules when handling protected health information (PHI).

Understanding what counts as PHI and how to protect it is essential for maintaining client trust and avoiding compliance violations. 

What Is PHI?

The full form of PHI in medical billing is Protected Health Information. In simple terms, it means any health-related information that can identify a patient or could reasonably be used to identify them. The protected health information definition under HIPAA covers more than diagnosis notes. It includes many types of personal and clinical details tied to care, payment, or health operations. 

PHI can exist in different formats, including

• Written records and medical charts

• Verbal conversations between healthcare providers

• Digital files stored in electronic systems

• Emails, text messages, or billing documents

When PHI is digital, it’s called ePHI, and a simple HIPAA checklist helps keep it safe. This includes data in electronic health records, ABA therapy documentation systems, practice management software, cloud storage platforms, and ABA billing claim submissions.

Protected health information examples

To make this easier, here are some common examples of protected health information in a therapy setting:

• A child’s therapy evaluation with their full name

• Session notes linked to a patient ID (learn more about writing ABA SOAP notes for accurate therapy documentation)

• A treatment plan emailed to a parent

• A billing statement showing diagnosis and balance due

• An appointment reminder that includes the patient’s name and clinic

• A claim submission with diagnosis codes and insurance details

• A voice message referencing a client’s therapy services

These are all forms of protected health information examples because they connect identifiable details to health services.

What Are the 18 HIPAA Identifiers?

Under HIPAA, there are 18 identifiers that can make information identifiable. When any of these identifiers appear together with health or payment information, the data is considered HIPAA-protected health information.

If these identifiers are removed and the data is properly de-identified, HIPAA no longer treats it as PHI. However, if the identifiers remain in the record, the information must be handled and protected as HIPAA-protected health information. If you’re new, it helps to know why HIPAA is important for ABA providers and how it guides daily work.

How to Protect PHI in Therapy Practice

Protecting protected health information is not only required by law but also essential for maintaining client confidence. Below are several practical steps therapists can follow.

Know Where PHI Appears in Your Practice

Before protecting protected health information, staff must recognize where it exists in normal workflows. In therapy settings, PHI appears in many routine documents and systems.

Common examples of protected health information (PHI) include:

• Intake forms containing demographic and medical details

• Assessment reports and diagnostic evaluations

• Session documentation, such as SOAP or DAP notes

• Treatment plans and progress reports

• Insurance authorizations, EOBs, and claim records

• Emails or messages discussing client symptoms or care

• Electronic protected health information (ePHI) stored in EHR systems, billing software, or cloud storage

If a record contains health information together with personal identifiers, it should be treated as HIPAA-protected health information.

Use Secure Systems for Electronic PHI

A large portion of healthcare information is now stored digitally. Because of this, therapy practices must take steps to protect electronic protected health information (ePHI).

Practical security measures include:

• Using HIPAA-compliant EHR, practice management, or billing systems

• Enabling multi-factor authentication for staff accounts

• Protecting devices with strong passwords or biometric locks

• Avoiding consumer email or storage tools without proper security agreements

• Limiting the amount of PHI stored on mobile devices

Secure digital systems reduce the risk of unauthorized access to HIPAA-protected health information.

Limit Access Using the Minimum Necessary Rule

The minimum necessary rule requires healthcare organizations to access or share only the amount of protected health information needed to complete a task.

In a therapy clinic, this may include:

• Front desk or billing teams viewing only scheduling or claim information

• Clinicians accessing full treatment records when needed for care

• Supervisors reviewing limited documentation for clinical support

Setting role-based access controls ensures that staff only see the PHI required for their responsibilities.

Create Clear Written Policies and Procedures

HIPAA requires healthcare organizations to maintain written policies explaining how protected health information (PHI) is handled and protected.

These policies should outline:

• How PHI is secured in paper, electronic, and verbal formats

• Who is allowed to access different types of information?

• How patients request copies of their records

• The process for obtaining authorization to share PHI

• Staff training requirements for privacy and compliance

• Procedures for reporting and responding to privacy breaches

• How the practice works with external vendors or business associates

Policies should reflect the actual workflow of the practice, not just copied templates.

Train Staff on HIPAA and PHI Handling

Every person who works with patient information should understand how to protect HIPAA-protected health information.

Training should explain:

• What protected health information includes

• The practice’s privacy policies and procedures

• Secure handling of electronic and paper records

• Proper use of email, messaging, and documentation systems

• How to recognize and report possible privacy violations

For added support, teams can refer to this guide on protecting ABA documents step by step.

Secure Physical Records and Workspaces

While many systems are digital, paper records and physical spaces can still expose protected health information (PHI).

Therapy practices should use safeguards such as:

• Locking file cabinets containing PHI

• Securing storage rooms when not in use

• Positioning computer screens away from public areas

• Using privacy filters on monitors

• Shredding documents before disposal

• Following a clean desk policy so records are not left visible

These steps reduce the chance of unauthorized access to sensitive client information.

What Happens If PHI Is Mishandled?

Mishandling protected health information PHI can create legal, financial, operational, and reputational damage.

Legal penalties

HIPAA violations can lead to fines, corrective action plans, and formal investigations. Penalties vary based on the seriousness of the issue and whether the provider ignored known risks.

Loss of client trust

This is often the highest cost in therapy. Once a client feels their privacy is not safe, the therapeutic relationship may suffer. Referrals may drop too, especially in local communities where trust spreads by word of mouth.

Operational stress

A privacy incident can force a practice to stop and respond. That may include internal reviews, breach notifications, policy changes, legal consultation, and staff retraining. Even a single mistake can drain time and energy.

Reputation damage

In behavioral health, privacy is part of your professional identity. Mishandling HIPAA-protected health information may raise concerns with clients, referral partners, payers, and auditors.

FAQ

1. What is considered protected health information?

Protected health information includes any data connected to a person’s health, treatment, or healthcare payment that can identify them, such as names, medical records, diagnoses, treatment notes, or insurance and billing details.

2. What is not covered by PHI?

Information that cannot identify a patient is not considered PHI. Examples include fully de-identified health data, general health statistics, or records that do not contain personal identifiers linked to healthcare services.

3. What is the difference between HIPAA and PHI?

HIPAA is the federal law that protects patient health information, while PHI refers to the actual medical, treatment, or billing data about a patient that HIPAA requires healthcare organizations to safeguard.