Protected Health Information (PHI)
Health information covered by HIPAA. Any individually identifiable health information in any medium (electronic, paper, oral). 18 HIPAA identifiers include names, dates, contact info, SSNs, medical record numbers, biometrics. ePHI is electronically stored or transmitted PHI.
More from Data Protection
Personally Identifiable Information (PII)
Information that can identify a specific individual directly or combined with other data. Different privacy laws define PII differently. GDPR uses "personal data" broadly; CCPA defines it specifically. Sensitive PII subsets include Social Security numbers, financial account numbers, biometrics, precise geolocation.
Controlled Unclassified Information (CUI)
Government-designated sensitive information that is not classified but requires protection. Governs federal contractor data handling under CMMC 2.0. Storage and transmission of CUI in cloud requires FedRAMP Moderate or equivalent (AWS GovCloud, M365 GCC High).
Data Loss Prevention (DLP)
Controls and tools to detect and prevent unauthorized data exfiltration. Endpoint DLP monitors file operations; network DLP inspects egress traffic; cloud DLP (integrated in Microsoft Purview, Google DLP) monitors SaaS. Effectiveness depends on data classification accuracy.
Tokenization
Replacing sensitive data (credit card numbers, SSNs) with non-sensitive equivalents (tokens) that can be reversed only with access to the tokenization service. Used in payment processing. PCI DSS scope reduction because systems handling tokens are out of PCI scope.
Apply this to your environment
Our engagements address concepts like protected health information (phi) in practice — not just definitions, but how the attack patterns apply to your stack and how to remediate.