PHI most commonly stands for Protected Health Information, the legal term under HIPAA for any health data that can be linked to a specific person. If you’ve encountered this abbreviation in a medical office, insurance form, or workplace training, that’s almost certainly what it refers to. Outside of healthcare, phi (Φ or φ) is also a Greek letter used widely in math, physics, and engineering, often representing the golden ratio (1.618…) or magnetic flux.
Protected Health Information Under HIPAA
Protected Health Information is any individually identifiable health data that a healthcare provider, health plan, or health clearinghouse creates, receives, stores, or transmits. The key word is “identifiable.” A database of anonymous blood pressure readings is not PHI. The same data linked to your name, birthdate, or medical record number is.
HIPAA defines 18 specific identifiers that make health information “protected.” If even one of these is attached to health data, that data is legally PHI:
- Names
- Geographic data smaller than a state (street address, city, county, ZIP code)
- Dates directly tied to an individual (birth date, admission date, discharge date, date of death), except year alone, plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs or comparable images
- Any other unique identifying number or code
That last catch-all category exists precisely so organizations can’t sidestep the rules by inventing a new type of identifier.
Who Has to Protect PHI
Three types of organizations are directly covered by HIPAA: healthcare providers (doctors, clinics, pharmacies, nursing homes, dentists, psychologists), health plans (insurance companies, HMOs, employer health plans, Medicare, Medicaid, and military/veterans programs), and healthcare clearinghouses that process health data between formats. A provider only counts as a covered entity if it transmits information electronically in connection with standard transactions, which in practice covers nearly every modern provider.
Any outside company that handles PHI on behalf of these covered entities, such as a billing service, cloud storage vendor, or IT contractor, is called a business associate. Business associates must sign a written agreement spelling out their responsibilities and are directly liable for certain HIPAA requirements. So the obligation to protect your health data extends well beyond the doctor’s office.
What Doesn’t Count as PHI
Not all health-related data qualifies. Employment records that a covered entity maintains in its role as an employer are explicitly excluded. So are education records covered by the Family Educational Rights and Privacy Act. If you fill out a health screening at work and your employer stores that data as part of your HR file, it falls under different rules. Health information that has been properly stripped of all 18 identifiers is considered de-identified and no longer subject to HIPAA protections.
Your Right to Access Your Own PHI
HIPAA gives you the right to request your own health records. Once you submit a request, the covered entity has 30 calendar days to respond. If it needs more time, it can take an additional 30 days, but only if it notifies you in writing during that first 30-day window, explaining the delay and giving a firm completion date. This applies to medical records, billing information, insurance claims, and other PHI the entity holds about you.
How Health Data Gets De-Identified
Organizations that want to use health data for research or analytics without HIPAA restrictions can de-identify it through two approved methods. The Safe Harbor method requires removing all 18 identifiers listed above, with no exceptions. The Expert Determination method allows a qualified statistician to analyze the data and certify that the risk of identifying any individual is “very small,” then document their methods and conclusions. Once data is properly de-identified through either method, it is no longer considered PHI.
Phi as a Greek Letter
Lowercase phi (φ) and uppercase phi (Φ) appear across science and mathematics with entirely different meanings depending on the field. The most famous is the golden ratio, approximately 1.618, which describes a specific proportion where dividing a line into two parts yields the longer segment divided by the shorter equal to the whole line divided by the longer segment. A Johns Hopkins study comparing 100 human skulls to 70 skulls from six other animals found that human skull proportions closely follow this ratio, while skulls from dogs, monkeys, rabbits, lions, and tigers diverged from it.
In physics, Φ typically represents magnetic flux, the measure of how much of a magnetic field passes through a given surface area. It’s measured in Webers (Wb) and calculated using the strength of the magnetic field, the size of the surface, and the angle between them. Phi also shows up in electrical engineering, quantum mechanics, and philosophy, where it has been proposed as a measure of consciousness in certain theoretical frameworks.
If you encountered “PHI” in all capitals in a healthcare or legal context, Protected Health Information is your answer. If you saw φ or Φ in a math or science context, the meaning depends on the specific field, with the golden ratio and magnetic flux being the two most common uses.