top of page
From solo therapists to group practices, we provide scalable billing solutions for mental health professionals
Search

PHI 101: Everything Your Staff Needs to Know About Protected Health Information (Did You Know IP Addresses Are Now On the List?)


Protected Health Information being handled by staff in private practice

You entered private practice to focus on patient care, not to wrestle with bureaucratic rules. But here’s the tough reality: the process of getting paid hinges entirely on how meticulously you handle a few specific pieces of data—Protected Health Information (PHI).


If PHI seems vague or abstract to your staff, that's a problem. Getting the definition wrong is setting your practice up for unnecessary risk and compliance violations. We want to empower you to win the Claim Game, and that starts with knowing exactly what you're protecting.


Let’s zoom in on the riveting world of HIPAA compliance and break down what PHI actually includes (yes, even IP addresses!) and the key rules you need to follow to keep your data safe.



Defining the "Protected" in PHI: It’s More Than Just a Medical Chart


PHI is any identifiable health information that is created, received, or transmitted by a HIPAA covered entity. Basically, anything that can link a patient to their health journey falls under this umbrella.


When we talk about PHI, the list goes far beyond the obvious test results or diagnosis notes. It includes:

  • Demographic Information: Full legal names, date of birth, address, phone number, and email, among other contact information. This is all information you collect right at patient registration.

  • Medical History: Visits, vaccination history, and test results.

  • Insurance Information: ID number, policy, and subscriber information.

  • Specific Identifiers: This is where it gets surprisingly broad. It includes Social Security Numbers and even IP addresses.


Yes, an IP address is considered PHI!  If you are storing or accessing a patient's information, and that information includes their IP address, you must treat it with the same level of security as their Social Security Number. That's a crucial distinction, especially in our modern, cloud-based practice world.


The Two Rules That Govern Protected Health Information (PHI)


To handle this sensitive data properly, you need to be mindful of two foundational rules: the Privacy Rule and the Security Rule.



1. The Privacy Rule: The “Who, What, and When” of Disclosure


The Privacy Rule sets the national standards for the protection of PHI. Crucially, this applies to all forms of patient health information—physical written, electronic, and even oral.


This rule gives patients the right to:

  • Obtain a copy of their health records in the form and manner that they request.

  • Ask for corrections to their information.

  • Control the use and disclosure of their information for patient care and other important purposes.


This is why, during intake, patients must fill out a HIPAA release form. If you don't have that form on file, you actually don't have permission to submit claims to the clearinghouse and the insurance company. It's a foundational step that's non-negotiable.



2. The Security Rule: Guarding the Digital Gates


The Security Rule sets national standards for protecting PHI that is in electronic form known as ePHI.


This rule requires your practice (the covered entity) and your vendors (the business associates) to implement administrative, physical, and technical safeguards. This ensures the confidentiality, integrity, and security of all the ePHI you create, receive, maintain, or transmit.


Best Practices: 3 Non-Negotiables for Protecting PHI


Based on those two rules, here are three non-negotiable steps every practice staff member must follow when handling patient information during registration and intake.



1. Use Only Secure, HIPAA-Compliant Systems


The level of security your practice has is entirely dependent on the systems you choose.

  • Secure Storage: All patient data—intake forms, IDs, insurance cards—needs to be collected and stored in a secure, HIPAA-compliant system, like your EHR. Remember, all EHRs are not created equal in terms of security, so you need to look into what level of security they offer.

  • No Personal Devices: You should not be downloading PHI onto your work computer, and it should never be on a desktop or in a downloads folder. Utilizing personal devices or unencrypted cloud services is a violation.


2. Communicate with Intention (And Encryption)


  • No Gmail! You should not be interacting with patients as a patient in an unencrypted general email account like Gmail. If you are sharing any sensitive information, you must utilize secure methods for communication, such as encrypted emails or a secure patient portal.

  • Watch the Lips: The Privacy Rule covers oral communication. Discussing a patient's information in a public space, like a waiting room, is a breach of the privacy rule. The case study of the staff member discussing HIV test results in the waiting room is a clear example of this issue.


3. If It’s Physical, Scan, Shred, or Lock It Down


If you must use physical forms, you need a plan for securing and destroying them.

  • Secure Immediately: Never keep anything face up on your desk, especially overnight. Always store paper PHI in a secured location, like a locked file cabinet, to limit physical access.

  • Destroy Properly: Improper disposal, like throwing documents in the regular trash, is a violation. Physical PHI must be disposed of securely through shredding, burning, or other HIPAA compliant destruction methods. Scan and shred is often the easiest path.



Next Steps: Training and Documentation


Staying compliant isn't a one-time thing; it's an ongoing practice. You need to ensure there is:

  • Training: Non-negotiable, ongoing HIPAA training for all staff on these rules and your practice's specific protocols.

  • Documentation: Establishing internal SOPs, a compliance officer, and logs for training completion are all required steps.


The hardest part is often just getting started and putting these documents in place.


If you're finding this documentation overwhelming, know that you don't have to build it from scratch. The resources mentioned in this post—including our HIPAA Compliance Checklist, the New Employee HIPAA Training Completion Form, a software access and permission review chart, and a template for your practice’s HIPAA corrective action plan—are all available within our online learning hub, the Hourglass.


The Hourglass is your single source for clear, actionable RCM resources and guides designed to move you from compliance anxiety to confidence.


Ready to stop wrestling with paperwork and start implementing your HIPAA plan today?

Join the Hourglass and gain immediate access to our full suite of HIPAA Compliance Forms and Checklists, so you can turn compliance chaos into a clear system.


Comments

Recent Posts
Archive
Search By Tags
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • LinkedIn
From solo therapists to group practices, we provide scalable billing solutions for mental health professionals

Sign up to receive email updates from Practice Solutions!

Manage your practice with confidence by staying in the know on industry updates, excellent billing resources, and best practices

COMPLIANCE

Practice Solutions, LLC recognizes that providers seek to ensure that our organization is fully in compliance with the Health Insurance Portability and Accountability Act (HIPAA). Our goal is to protect the privacy and security of individually identifiable health information and our client’s ability to use our services.
 

Practice Solutions, LLC, its software vendor and electronic clearinghouse are in compliance with all legislative and regulatory developments that are directly proportional to our customers’ business needs. Practice Solutions, LLC signs a trading partner agreement with all its vendors and its statement of compliance is outlined in the “Billing Services Agreement: Compliance Addendum” or “Business Associate Agreement”, which we provide to all our clients.

© 2025 by Practice Solutions. Powered by GoZoek.com

PRIVACY POLICY

TERMS OF SERVICE

bottom of page