Protected Health Information (PHI) is, in plain language, any health‑related information that can be tied to an identifiable individual. The classic eighteen identifiers — names, addresses, dates more precise than a year, phone numbers, email addresses, medical record numbers, account numbers, biometric data, and so on — are the ones HIPAA enumerates. In CareHub day‑to‑day, the categories that come up most often are:
- Demographic and contact data captured at intake (name, DOB, address, phone, email, employer).
- Encounter content — intake summaries, PR‑2 and PR‑4 reports, chart notes, session notes, RFAs, UR responses.
- Assessment results — PHQ‑9 and GAD‑7 scores, functional measures, anything completed inside the portal.
- Distribution records — who a document was served to and when. The fact that a document was sent to a specific attorney can itself be PHI.
- Communications — emails, portal messages, scheduling artifacts that reference a specific case.
A useful rule of thumb: if information is about a CareHub member, or about the care they're receiving, or about the people receiving copies of their records, treat it as PHI. The threshold for protection is lower than people expect — it does not require a diagnosis or a clinical detail to qualify. A statement that "Marcus Johnson is a CareHub member" is itself PHI.
Information stops being PHI only after it has been de‑identified under the Safe Harbor or Expert Determination methods. De‑identification is a deliberate process — not a casual one — and is handled by the compliance team, not by individual workforce members.