Protected Health Information (PHI) under HIPAA is any health information that can be linked to a specific individual — including health status, healthcare services received, payment for healthcare, names, birth dates, addresses, social security numbers, medical record numbers, and many other identifiers. The HIPAA Privacy Rule defines 18 specific PHI identifiers.
For customer portals, PHI handling triggers significant compliance requirements: encryption, access controls, audit logging, identity verification, BAAs with vendors, breach notification capabilities, and patient rights to access and correct their own PHI. Improperly handled PHI is the most common cause of HIPAA violations.