...

Ekim IT Solutions

Schedule a Fit Call
Blog / What Is PHI and How Must Dental Practices Protect It
All Dental

What Is PHI and How Must Dental Practices Protect It

Featured image for the PHI explainer blog post showing the letters PHI over a medical caduceus symbol on an orange background representing a guide to what protected health information is and what HIPAA requires dental practices to do to protect it

Every dental practice handles protected health information every single day. It is in your patient charts, your appointment schedules, your insurance claims, and your X-ray files. Most dental teams know they need to protect it. Fewer can define exactly what it is.

Understanding what counts as PHI is the starting point for HIPAA compliance. You cannot protect information you have not identified. Here is what PHI actually is, what it includes in a dental setting, and what your practice is required to do about it.

Red callout box stating that PHI includes 18 specific identifiers defined by HHS including patient names, dates of birth, and phone numbers, explaining that a patient's name combined with any health information is enough to constitute PHI and that nearly every file in a dental practice qualifies

What PHI Means

Protected health information, or PHI, is any individually identifiable health information held or transmitted by a covered entity or its business associates. The HIPAA Privacy Rule defines it as information that relates to a patient’s past, present, or future physical or mental health condition, the provision of healthcare to that individual, or payment for that healthcare, and that identifies the individual or could reasonably be used to identify them.

In simpler terms: if the information connects a person to their health data, it is PHI. And in a dental office, that connection happens constantly.

What Counts as PHI in a Dental Practice

Dental files are among the most PHI-rich environments in healthcare. The following all qualify as PHI when connected to an identifiable patient.

Patient demographics

Names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and insurance ID numbers. These are the identifiers most people think of first, and they are present in virtually every system a dental practice uses.

Clinical and treatment information

Treatment plans, clinical notes, diagnoses, procedure records, X-rays, photographs, and health histories. This includes images stored in your imaging software, notes entered in your practice management system, and any paper records in patient files.

Insurance and billing information

Insurance plan details, claim submissions, payment records, and Explanations of Benefits. Any information that connects a patient to a financial transaction related to their care is PHI.

Electronic PHI

When PHI is stored or transmitted electronically, it becomes ePHI. This includes records in your practice management software, images in your imaging platform, emails containing patient information, and data stored in cloud backup systems. The HIPAA Security Rule governs ePHI specifically and requires additional technical safeguards.

What Your Practice Must Do to Protect PHI

Implement the three safeguard categories

HIPAA requires three categories of safeguards for PHI. Administrative safeguards include your policies and procedures, staff training, and risk assessment documentation. Physical safeguards cover workstation access controls, screen privacy, and device disposal. Technical safeguards include encryption, unique user logins, automatic screen lock, audit logging, and Multi-Factor Authentication for any system that accesses ePHI.

Limit access to the minimum necessary

Staff should only have access to the PHI they need to do their job. A front desk coordinator does not need access to detailed clinical notes. An IT provider does not need to read patient records to maintain your server. Limiting access reduces the risk of accidental or unauthorized disclosure.

Sign Business Associate Agreements with every vendor

Any vendor who could potentially access your PHI must sign a Business Associate Agreement. This includes your IT provider, your billing service, your cloud backup provider, your imaging software company, and your practice management software vendor. Without a signed BAA, that vendor relationship is a compliance gap.

Train your staff

HIPAA requires documented staff training on PHI handling. Every team member, from the front desk to clinical staff, needs to understand what PHI is, how to handle it correctly, and what to do if they suspect it has been disclosed inappropriately. Training must be documented and repeated when policies change or when new staff join.

Blue callout box listing four common PHI exposure points in a dental office: unencrypted email through standard Gmail or Outlook, shared passwords that break HIPAA's unique user identification requirement, unattended screens without auto-lock policies, and missing Business Associate Agreements with vendors who have data access

Frequently Asked Questions

Does a patient’s name alone count as PHI?

A name alone is not PHI. But a name combined with any health information, including the fact that someone is a patient at your practice, is PHI. This is why appointment reminder calls, recall postcards, and even waiting room sign-in sheets require careful handling.

Are X-rays and clinical photos considered PHI?

Yes. Imaging data is PHI because it is health information connected to an identifiable patient. This means your imaging software, your image backup, and any process that transfers images between systems must meet HIPAA requirements.

What is the difference between PHI and ePHI?

PHI includes all formats: paper records, verbal communications, and electronic data. ePHI is the subset of PHI that is stored or transmitted electronically. The HIPAA Security Rule applies specifically to ePHI and requires technical safeguards that go beyond what is required for paper records.

Does Ekim help dental practices protect PHI?

Yes. Ekim IT Solutions implements the technical safeguards HIPAA requires for ePHI across all the systems dental practices use. We serve practices across all 50 states remotely and provide on-site support in New England and New York. We also provide signed Business Associate Agreements as a standard part of every client relationship.

Need help identifying and protecting PHI in your practice?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. Security, compliance, and everything in between so you can focus on patients.

Schedule a Fit Call: Find out in 15 minutes if we are the right fit for your practice.

author avatar
Ezra Angelo
See Full Bio

Related Posts

Featured image for the network segmentation explainer blog post showing a dental office building with separated Wi-Fi and clinical network icons on a dark background representing a guide to what network segmentation is and why HIPAA requires it for dental practices
All Dental

What Is Network Segmentation for Dental Practices

Featured image for the DSO practice management software selection guide showing dental software platform icons with a decision arrow on a dark background representing a guide to choosing the right practice management software for a multi-location dental group or dental service organization
All Dental

How to Choose Practice Management Software for a DSO

Featured image for the blog post on identifying underperforming dental IT providers, showing a dental IT gear icon with a red X and warning symbols representing the signs that your current dental IT provider is falling short of what your practice needs
All Dental

Signs Your Dental IT Provider Is Not Good Enough