What Is PHI (Protected Health Information) and Why Should MSPs Care?

Understanding the regulations and requirements around Protected Health Information (PHI) is not only crucial for healthcare organizations, but also for the managed service providers (MSPs) who work with these types of clients. This post explores the Health Insurance Portability and Accountability Act (HIPAA) regulations around PHI and explains the important role MSPs play in ensuring compliance.

What is Protected Health Information (PHI)?

Protected health information, or PHI, refers to HIPAA-protected health information. Under the General HIPAA Provisions, PHI is defined as “individually identifiable health information… that is transmitted or maintained in any form or medium.”

Any information generated, utilized, or shared during routine care, diagnosis, treatment, or the billing process may be considered PHI if it can be linked to an individual.

Examples of so-called direct identifiers include:

  • Name
  • Address
  • Telephone number
  • Email address
  • Social Security number
  • Driver's license number
  • Medical record number
  • Faceprints
  • Fingerprints

There are also indirect identifiers that can be combined with other information to identify someone, such as:

  • Medical history
  • Diagnoses
  • Treatment details
  • Prescription information
  • Test results
  • Insurance information
  • Genetic information
  • Biometric data

Electronic protected health information (ePHI), includes all of the above, but specifically PHI that is created, stored, transmitted, or received electronically. PHI and ePHI are governed by separate guidelines under HIPAA.

Who Needs to Manage Personal Health Information and Follow HIPAA Regulations?

HIPAA guidelines apply to so-called covered entities (CEs); in other words, different types of health plans, healthcare clearinghouses, and qualifying healthcare providers. But it also applies to Business Associates (BAs), which are third-party service providers to CEs. This is because HIPAA regulations cover the storage of both physical and digital data. Meaning that, if you’re an MSP that stores the data of a CE, you’re required to follow HIPAA regulations, even if you rarely, randomly, or never access or view the data that you’re storing.

HIPAA Regulations & Requirements for PHI

The HIPAA Privacy Rule sets the guidelines for how healthcare organizations must protect and safeguard PHI. The Rule outlines strict measures to ensure the confidentiality, integrity, availability, and security of PHI is maintained while being stored or processed. The Privacy Rule generally affects covered entities, like doctors' offices and their staff.

The HIPAA Security Rule, in contrast, “establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity.” To ensure this rule is maintained, MSPs have a central role to play.  With a HIPAA security assessment checklist, Compliance Scorecard helps MSPs conduct security risk assessments (SRAs) and provides the policies and procedures needed to comply with the rule.

Covered entities must adhere to a range of complex administrative, physical, and technical procedures, of which the following are just a few:

Limiting Use and Disclosure

A covered entity must develop and implement policies that reasonably limit use and disclosure of PHI according to the minimum necessary principle. This includes limiting use policies, which state CEs must create and enforce policies limiting workforce access to protected health information. It also includes creating policies and procedures around disclosures and requests for disclosures.

Privacy Policies and Practices

Covered entities must develop and implement written privacy policies and procedures consistent with the Privacy Rule. The Rule requires that CEs provide privacy notices detailing their privacy practices, for example. This notice should cover information use and disclosure, individual rights, and contact information for complaints.

Workforce Training

Covered entities must train all workforce members on their privacy policies and procedures. This includes employees, volunteers, trainees, and any individual whose work is under the direct control of the entity, regardless of whether the entity pays them. Covered entities must also include appropriate sanctions for violations of privacy policies and procedures.

Data Safeguards

Covered entities must maintain reasonable safeguards to prevent unauthorized use or disclosure of PHI, including measures like document shredding, secure record storage using locks and passcodes, and restricted access to locks and passcodes. Where ePHI is concerned, this might involve encryptions, firewalls, antivirus software, intrusion detection systems, and regular backups.

How MSPs Can Help Manage PHI and HIPAA

MSPs can serve as valuable allies for covered entities working to fulfill HIPAA requirements. Leveraging their expertise in encryption, data security, and secure cloud solutions minimizes any risks to the confidentiality of patient data.

Email Encryption

Given that email is a key communication tool in the healthcare sector, MSPs can implement and oversee encryption solutions to safeguard PHI that’s shared via this platform. This includes both setting up and monitoring encryption mechanisms to maintain the confidentiality of PHI during transmission.

Data Security

HIPAA regulations require stringent data security measures to safeguard PHI when it is being processed or stored. MSPs aid healthcare organizations in adopting and sustaining data security measures, including access controls, data encryption, as well as intrusion detection systems.

Secure Cloud Solutions

Numerous healthcare entities leverage cloud solutions for patient data storage and management, yet this brings added security challenges and compliance obligations. MSPs specialize in delivering secure hosting and cloud solutions that align with HIPAA standards.

Compliance Scorecard Services for Managing PHI and Meeting HIPAA Requirements

Any MSP can encrypt emails, manage data security systems, and implement secure cloud solutions for their HIPAA-regulated clients, but CaaS (Compliance as a Service) for MSPs enables you to take your business to a whole new level. Armed with Compliance Scorecard, you can offer all the above, plus MSP compliance services.

Let’s break down how our first-of-its-kind Governance as a Service (GaaS) platform helps your MSP do exactly that.

Policy Development

As you may have noticed, a large part of HIPAA compliance involves the creation of policies and procedures. One of the main features of Compliance Scorecard is that it helps you easily create, authorize, and manage policies. In fact, it even includes a policy pack for HIPAA regulations. The policy pack provides templates for different required policies, as well as a checklist that clarifies what you’re missing.


Covered entities must provide workforce training regarding their policies to anybody who may need to access PHI. Employees, volunteers, and contractors need to know the policies and what the consequences for violating them are. Compliance Scorecard helps foster a culture of compliance across an organization, with functions for gaining signatures, creating awareness, and integrating policies into daily operations.


Regular assessment is key to ensuring that policies and procedures are up-to-date and aligned with any changes in regulations, and it’s built into Compliance Scorecard. The platform simplifies the evaluation and monitoring process and notifies you when it’s time for a review. Covered entities are required to do an annual security risk assessment. Our SRA Compliance Scorecard can help facilitate that with checklists and a streamlined process for conducting these assessments at scale.

Get Your Own House in Order

In 2013, the Final Omnibus Rule made it mandatory for BAs and subcontractors to comply with HIPAA rules and regulations. As a result of this modification, MSPs can now be found liable for a breach of PHI and fined directly if they violate the rules. Compliance Scorecard not only helps you sell CaaS to your HIPAA-regulated clients, but it also empowers you to get your own house in order.

A key component of HIPAA compliance is a Business Associate Agreement (BAA). This contract between a HIPAA-covered entity and a vendor or service provider (like an MSP) that has access to protected health information (PHI) outlines the responsibilities for safeguarding PHI.

For MSPs, it legally binds them to adhere to HIPAA standards for the protection and confidentiality of PHI, mitigating legal risks and reinforcing trust with healthcare clients who are obligated to ensure their vendors comply with HIPAA. (If you need a BAA, Compliance Scorecard can help. We now offer a business associate agreement as a downloadable resource.)

Learn More About MSP Compliance Services for Your HIPAA Clients

Violations involving PHI can lead to large fines and reputation damage for your HIPAA-regulated clients. As an MSP, it’s your responsibility to ensure that PHI is protected, managed, and monitored according to the strict guidelines of the Privacy Rule, but it’s equally important that you follow those guidelines yourself.

Compliance Scorecard allows you to take your services one step further, by enabling you to be the compliance authority for your clients. With the ability to develop, authorize, implement, and assess policies with ease, your clients will see you as an even more valuable ally.

Try Compliance Scorecard for Yourself

Want to learn more about MSP Compliance Services? Download our policy procedure playbook or contact us to learn how to offer PHI Security and HIPAA management to your clients. You can also see Compliance Scorecard in action by booking a demo today.

BAA Download


Are you doing compliance work for your clients?(Required)

This field is for validation purposes and should be left unchanged.

Read more

What Do Contracts and Compliance Have in Common? Process!

FTC Safeguards Rule: What MSPs Need to Know

Acceptable Use Policy for AI Tools: Download Now


Posted in