Glossary · Compliance

Protected Health Information (PHI)

Protected Health Information (PHI) is any individually identifiable health data—clinical, demographic, or financial—created, received, or transmitted by a HIPAA-covered entity or its business associates that relates to a patient's past, present, or future health, treatment, or payment for care.

Verified May 8, 2026 · 5 sources ↓

Drawn from NIHHipaajournalMarvelousmedicalbillingMedicalbillingandcodingAMA

Definition

Source · Editorial summary grounded in 5 cited references ↓

Under HIPAA, PHI encompasses a broad set of identifiers that, alone or in combination, can link a piece of health information back to a specific individual. This includes obvious identifiers such as patient names, dates of birth, Social Security numbers, and medical record numbers, as well as less obvious ones like geographic data smaller than a state, full-face photographs, biometric data (fingerprints, voiceprints), device identifiers, and IP addresses. The information qualifies as PHI regardless of whether it is stored on paper, spoken aloud, or transmitted electronically—the last category being specifically called electronic PHI (ePHI).

In an orthopedic practice, PHI surfaces constantly: a pre-operative note documenting a patient's fracture history, an imaging report attached to an X12 837 claim, a surgical consent form, or even a scheduling record linking a patient's name to a procedure date. Covered entities include health plans, clearinghouses, and any provider who transmits health information electronically. Vendors who handle that data on a covered entity's behalf—billing services, coding companies, EHR vendors—are business associates and must sign a Business Associate Agreement (BAA) before accessing any PHI.

The HIPAA Privacy Rule governs permitted uses and disclosures of PHI, while the Security Rule sets specific administrative, physical, and technical safeguard requirements for ePHI. Penalties for non-compliance range from $100 to $50,000 per violation, with annual caps up to $1.9 million per violation category, and willful neglect can result in criminal prosecution. For orthopedic coding teams, PHI protection is not an abstract obligation—it is a concrete daily workflow requirement baked into how charts are accessed, how claims are built, and how audit materials are shared.

Why it matters

An orthopedic practice that allows a coder to pull full patient records beyond what is needed to assign a single procedure code is violating HIPAA's minimum-necessary standard—a finding that surfaces in payer audits and OIG investigations and can trigger corrective action plans, civil monetary penalties, or loss of Medicare participation. Conversely, over-restricting PHI access can cause coders to query the wrong documentation, leading to unsupported codes, claim denials, and delayed reimbursement for high-value orthopedic procedures like total joint arthroplasty or complex spinal surgery. Getting PHI access rights calibrated correctly is therefore a direct driver of both compliance posture and revenue cycle performance.

Common mistakes

Where people most often go wrong with this concept.

Source · Editorial brief grounded in cited references ↓

  • Treating only electronic records as PHI—paper operative reports, handwritten charge tickets, and verbal conversations in shared spaces are equally covered.
  • Emailing claim attachments or operative notes to payers or consultants via unsecured standard email, which constitutes an unauthorized ePHI disclosure.
  • Assuming a de-identified record is automatically PHI-free without applying one of HIPAA's two approved de-identification methods (Expert Determination or Safe Harbor).
  • Failing to execute a Business Associate Agreement with coding vendors, billing services, or clearinghouses before granting PHI access.
  • Granting coders broad EHR access beyond the records needed for their current coding task, violating the minimum-necessary access principle.
  • Overlooking scheduling and appointment data as PHI—a patient's name linked to a procedure date and provider is individually identifiable health information.
  • Confusing 'consent for treatment' with authorization to disclose PHI to third parties; treatment disclosures are permitted without separate authorization, but many other disclosures are not.

Frequently asked questions

Source · Generated from the editorial pipeline, verified against 5 cited references ↓

01Does PHI protection apply to orthopedic coding staff who only see data on-screen briefly?
Yes. Any access to individually identifiable health data—even a momentary on-screen review to confirm a diagnosis code—constitutes handling PHI. Coders must be trained, have signed confidentiality agreements, and operate under minimum-necessary access policies regardless of how brief their interaction with a patient record is.
02Is an X-ray or MRI image itself considered PHI?
Yes. A radiographic image attached to a patient record is PHI when it can be linked to an individual. Standalone images with all 18 HIPAA identifiers stripped away under the Safe Harbor method would not be PHI, but images as they normally exist in an orthopedic EHR or PACS clearly qualify.
03What is the difference between PHI and ePHI?
PHI is the broad category covering all formats—paper, oral, and electronic. ePHI is the subset stored or transmitted in electronic form and is subject to the additional technical and physical safeguard requirements of the HIPAA Security Rule, such as encryption at rest and in transit.
04Can orthopedic practices share PHI with their billing company without patient authorization?
Yes, but only after executing a valid Business Associate Agreement with the billing company. Sharing PHI for treatment, payment, and healthcare operations purposes is a permitted disclosure under the Privacy Rule; however, the BAA must be in place before any PHI is transmitted.
05What are the penalties for a PHI breach in an orthopedic practice?
Civil penalties range from $100 per violation for unknowing violations up to $50,000 per violation for willful neglect that is not corrected, with annual caps per violation category reaching approximately $1.9 million. Criminal penalties apply for intentional misuse of PHI and can include imprisonment of up to 10 years in the most serious cases.
06Does HIPAA require patient authorization before disclosing PHI for treatment purposes?
No. Treatment disclosures—such as sending operative notes to a referring physician or physical therapist—are permitted under HIPAA without separate written patient authorization. Authorization requirements apply to other disclosure types, such as releasing records to employers or for marketing purposes.

Sources & references

Editorial content was developed using the following public sources. Last verified May 8, 2026.

  1. 01
    ncbi.nlm.nih.gov
    https://www.ncbi.nlm.nih.gov/books/NBK553131/
  2. 02
    hipaajournal.com
    https://www.hipaajournal.com/hipaa-compliance-for-medical-coding-services/
  3. 03
    marvelousmedicalbilling.com
    https://www.marvelousmedicalbilling.com/from-code-to-confidentiality-a-practitioners-guide-to-icd-10-and-hipaa/
  4. 04
    medicalbillingandcoding.org
    https://www.medicalbillingandcoding.org/hipaa-billing/
  5. 05
    ama-assn.org
    https://www.ama-assn.org/practice-management/cpt/medical-coding-mistakes-could-cost-you

Mira AI Scribe

Mira's documentation layer interacts with PHI at every step of the orthopedic encounter capture workflow. When Mira ingests ambient or dictated clinical content to suggest diagnosis and procedure codes, it processes ePHI under the practice's BAA and applies role-based, minimum-necessary access controls so that only the data required to support a specific coding decision is surfaced to the coder or reviewed by the AI model. Mira does not retain identifiable patient content beyond the active session for training or analytics purposes without explicit practice authorization. When Mira pre-populates claim fields—patient demographics, date of service, rendering provider NPI, and ICD-10/CPT code pairs—from structured documentation, it transmits those data only through encrypted channels conforming to HIPAA Security Rule technical safeguard requirements. Audit logs of every PHI access event within Mira are maintained and available to the practice's compliance officer on request. Practices should confirm that their Mira implementation agreement includes an executed BAA, that user access roles are scoped to minimum-necessary levels, and that any export of coded claim data to clearinghouses or practice management systems routes through HIPAA-compliant secure connections. Mira flags documentation gaps that could force a coder to query additional PHI unnecessarily, reducing incidental PHI exposure while simultaneously improving coding specificity and defensibility.

See Mira's approach

Related terms

HIPAA Compliance

HIPAA (Health Insurance Portability and Accountability Act of 1996) is the federal law that governs the privacy and security of protected health information (PHI) and standardizes the electronic transactions—including claim submissions—used in medical billing.

Minimum necessary standard Compliance

The HIPAA Privacy Rule requirement that covered entities use, disclose, or request only the amount of protected health information (PHI) reasonably necessary to accomplish the stated purpose—no more. In orthopedic practice, this means claims submissions, prior authorizations, and internal workflows expose only the PHI each task actually requires.

Ready?

Ready to transform your orthopedic practice?

See how orthopedic practices are running documentation, billing, and operations on a single voice-first platform.

Get started for free