...

Ekim IT Solutions

Schedule a Fit Call
Blog / What Is PHI and How Must Dental Practices Protect It
All Dental

What Is PHI and How Must Dental Practices Protect It

Featured image for the PHI explainer blog post showing the letters PHI over a medical caduceus symbol on an orange background representing a guide to what protected health information is and what HIPAA requires dental practices to do to protect it
HIPAA Compliance Guide

Every dental practice handles protected health information every single day. It is in your patient charts, your appointment schedules, your insurance claims, and your X-ray files. Most dental teams know they need to protect it. Fewer can define exactly what it is.

Understanding what counts as PHI is the starting point for HIPAA compliance. You cannot protect information you have not identified. Here is what PHI actually is, what it includes in a dental setting, and what your practice is required to do about it.

HHS Definition

PHI includes 18 specific identifiers defined by HHS, including patient names, dates of birth, and phone numbers.

A patient’s name alone, combined with any health information, is enough to constitute PHI. That means nearly every piece of paper and every file in your practice qualifies.

What PHI Means

Protected health information, or PHI, is any individually identifiable health information held or transmitted by a covered entity or its business associates. The HIPAA Privacy Rule defines it as information that relates to a patient’s past, present, or future physical or mental health condition, the provision of healthcare to that individual, or payment for that healthcare, and that identifies the individual or could reasonably be used to identify them.

In simpler terms: if the information connects a person to their health data, it is PHI. And in a dental office, that connection happens constantly.

Not sure if your practice is handling PHI the right way? We handle HIPAA technical safeguards, BAAs, and compliance documentation for dental practices across the country.

Schedule a Fit Call →

What Counts as PHI in a Dental Practice

Dental files are among the most PHI-rich environments in healthcare. The following all qualify as PHI when connected to an identifiable patient.

Patient demographics

Names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and insurance ID numbers. These are the identifiers most people think of first, and they are present in virtually every system a dental practice uses.

Clinical and treatment information

Treatment plans, clinical notes, diagnoses, procedure records, X-rays, photographs, and health histories. This includes images stored in your imaging software, notes entered in your practice management system, and any paper records in patient files.

Insurance and billing information

Insurance plan details, claim submissions, payment records, and Explanations of Benefits. Any information that connects a patient to a financial transaction related to their care is PHI.

Electronic PHI

When PHI is stored or transmitted electronically, it becomes ePHI. This includes records in your practice management software, images in your imaging platform, emails containing patient information, and data stored in cloud backup systems. The HIPAA Security Rule governs ePHI specifically and requires additional technical safeguards.

What Your Practice Must Do to Protect PHI

Implement the three safeguard categories

HIPAA requires three categories of safeguards for PHI. Administrative safeguards include your policies and procedures, staff training, and risk assessment documentation. Physical safeguards cover workstation access controls, screen privacy, and device disposal. Technical safeguards include encryption, unique user logins, automatic screen lock, audit logging, and Multi-Factor Authentication for any system that accesses ePHI.

Limit access to the minimum necessary

Staff should only have access to the PHI they need to do their job. A front desk coordinator does not need access to detailed clinical notes. An IT provider does not need to read patient records to maintain your server. Limiting access reduces the risk of accidental or unauthorized disclosure.

Sign Business Associate Agreements with every vendor

Any vendor who could potentially access your PHI must sign a Business Associate Agreement. This includes your IT provider, your billing service, your cloud backup provider, your imaging software company, and your practice management software vendor. Without a signed BAA, that vendor relationship is a compliance gap.

Train your staff

HIPAA requires documented staff training on PHI handling. Every team member, from the front desk to clinical staff, needs to understand what PHI is, how to handle it correctly, and what to do if they suspect it has been disclosed inappropriately. Training must be documented and repeated when policies change or when new staff join.

Common Violations

Four common PHI exposure points in a dental office

1

Unencrypted email.

Sending patient records through standard Gmail or Outlook is a violation.

2

Shared passwords.

Multiple staff on one login breaks HIPAA’s unique user identification requirement.

3

Unattended screens.

No auto-lock policy exposes PHI to anyone walking through the office.

4

Missing BAAs.

Any vendor with data access and no signed BAA is a compliance risk.

Frequently Asked Questions

A name alone is not PHI. But a name combined with any health information, including the fact that someone is a patient at your practice, is PHI. This is why appointment reminder calls, recall postcards, and even waiting room sign-in sheets require careful handling.
Yes. Imaging data is PHI because it is health information connected to an identifiable patient. This means your imaging software, your image backup, and any process that transfers images between systems must meet HIPAA requirements.
PHI includes all formats: paper records, verbal communications, and electronic data. ePHI is the subset of PHI that is stored or transmitted electronically. The HIPAA Security Rule applies specifically to ePHI and requires technical safeguards that go beyond what is required for paper records.
Yes. Ekim IT Solutions implements the technical safeguards HIPAA requires for ePHI across all the systems dental practices use. We serve practices across all 50 states remotely and provide on-site support in New England and New York. We also provide signed Business Associate Agreements as a standard part of every client relationship.
Not confident your practice knows where all its PHI lives and who can access it?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We help dental practices identify where PHI is stored, transmitted, and accessed across their systems and put the right technical controls in place to keep it protected.

PHI you cannot locate is PHI you cannot protect. Find out if your practice has any blind spots.
Check your PHI protection →

Related Posts

Branded featured image for the blog post "What Is Endpoint Detection and Response for Dentists" with illustrated security shield and magnifying glass imagery
All Dental

What Is Endpoint Detection and Response for Dentists

Featured image for the network segmentation explainer blog post showing a dental office building with separated Wi-Fi and clinical network icons on a dark background representing a guide to what network segmentation is and why HIPAA requires it for dental practices
All Dental

What Is Network Segmentation for Dental Practices

Featured image for the DSO practice management software selection guide showing dental software platform icons with a decision arrow on a dark background representing a guide to choosing the right practice management software for a multi-location dental group or dental service organization
All Dental

How to Choose Practice Management Software for a DSO