Protected Health Information (PHI)
Dental RCM Glossary
Any individually identifiable health information created, received, maintained, or transmitted by a HIPAA-covered entity or its business associate.
Protected Health Information includes any health-related data that can be linked to a specific individual and is held or transmitted by a covered entity or its business associate. In dental practices, PHI includes patient names, addresses, dates of birth, Social Security numbers, insurance member IDs, treatment records, radiographic images, periodontal charting, billing records, appointment schedules, and any communication that references a patient's health status or treatment. PHI exists in three forms: electronic (known as ePHI), paper, and oral. Each form requires appropriate safeguards under the Health Insurance Portability and Accountability Act.
HIPAA establishes specific requirements for how dental practices must protect PHI across all three forms. Electronic PHI requires technical safeguards including encryption at rest and in transit, access controls that limit data visibility to authorized personnel, unique user identification for system access, automatic session timeouts, and audit logging that tracks who accessed which records and when. Paper PHI must be stored in secured locations with controlled access, and disposal must use methods such as cross-cut shredding that render the information unrecoverable. Oral PHI protections include reasonable measures to prevent unauthorized individuals from overhearing patient discussions, such as sound barriers at front desk areas and private spaces for financial conversations.
When managing the revenue cycle, PHI flows through nearly every step of the billing process. Eligibility verification transmits patient identifiers and plan details to payer systems. Claim submission includes diagnostic information, treatment codes, and provider-patient relationships. Payment posting and denial management involve accessing and updating patient financial records. Every vendor, platform, and communication channel involved in these workflows must comply with HIPAA safeguards and operate under a signed business associate agreement. Billing managers should conduct periodic risk assessments of their RCM data flows to identify any points where PHI may be exposed, inadequately encrypted, or accessible to unauthorized users, and should remediate gaps before they result in a reportable breach.
Why It Matters for Dental Practices
Every piece of patient data flowing through revenue cycle workflows qualifies as PHI. Dental practices must ensure that all systems handling eligibility data, claims, and billing records implement encryption, access controls, and audit logging to meet HIPAA requirements.
Example
A billing team emails a patient's insurance ID, date of birth, and treatment history to a collections agency without encryption. This unprotected transmission of PHI constitutes a HIPAA violation, potentially triggering breach notification requirements and fines starting at $100 per incident.
Still fighting eligibility fires
or ready to stop?
See how Needletail verifies tomorrow's patients before your team clocks in
