💡 Plain English Explanation

Protected Health Information (PHI) is a term defined by the Health Insurance Portability and Accountability Act (HIPAA) that refers to any individually identifiable health information held or transmitted by a covered entity or its business associates. In an NDA context, a PHI definition clause establishes what health-related data falls under additional federal protections beyond standard confidentiality obligations.

This clause is critical because PHI carries severe legal penalties for improper disclosure. Unlike regular confidential business information, PHI violations can result in civil penalties up to $1.5 million per incident category per year, and criminal penalties including imprisonment. Your NDA must clearly define what constitutes PHI to ensure proper handling and compliance.

PHI includes health information that:

Why This Clause Matters

For the Disclosing Party (Healthcare Entity): A comprehensive PHI definition ensures all patient data receives proper protection under the NDA. You need clear language that aligns with HIPAA definitions while also covering state-specific health privacy laws that may have broader protections.

For the Receiving Party (Business Associate): Understanding exactly what constitutes PHI determines your compliance obligations. A clear definition helps you implement appropriate safeguards, train staff properly, and avoid inadvertent violations that could expose you to significant liability.

For Regulatory Compliance: HIPAA requires that any entity handling PHI have appropriate agreements in place. A well-drafted PHI definition in your NDA demonstrates regulatory awareness and can serve as evidence of good faith compliance efforts during audits or investigations.

📄 Clause Versions

Balanced Version: Adopts the standard HIPAA definition while providing practical clarity on covered data types. Appropriate for most healthcare business relationships where both parties need certainty about their obligations. 
"Protected Health Information" or "PHI" means any information, including demographic information, whether oral, written, or electronic, that:

(a) is created, received, maintained, or transmitted by a Covered Entity or Business Associate;

(b) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(c) identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

PHI includes, without limitation:
(i) patient names, addresses, telephone numbers, email addresses, and Social Security numbers;
(ii) medical record numbers, health plan beneficiary numbers, and account numbers;
(iii) dates directly related to an individual (birth date, admission date, discharge date, date of death);
(iv) diagnosis codes, treatment records, and clinical notes;
(v) insurance information and billing records; and
(vi) any other information defined as PHI under 45 C.F.R. Section 160.103.

PHI does not include de-identified information that meets the requirements of 45 C.F.R. Section 164.514(a)-(c), or information contained in education records covered by the Family Educational Rights and Privacy Act (FERPA).
Disclosing Party Favor: Expansive definition that includes state law protections and emerging data types. Use when the healthcare entity wants maximum protection and the receiving party will handle large volumes of sensitive patient data. 
"Protected Health Information" or "PHI" means, to the fullest extent permitted by applicable law:

(a) all information defined as "protected health information" under 45 C.F.R. Section 160.103 and the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act);

(b) all information defined as protected health information, medical information, or personal health information under any applicable state privacy law, including but not limited to the California Confidentiality of Medical Information Act (CMIA), Texas Medical Records Privacy Act, and similar state statutes;

(c) all individually identifiable health information in any form or medium, including:
    (i) any information that identifies or could reasonably be used to identify a patient or health plan member;
    (ii) genetic information, biometric data, and genomic sequencing data;
    (iii) mental health and substance abuse treatment records;
    (iv) HIV/AIDS status and testing information;
    (v) reproductive health information;
    (vi) pharmacy records and prescription information;
    (vii) information from wearable devices, health applications, and patient portals; and
    (viii) any metadata or derived data that could be used to re-identify individuals;

(d) the fact that an individual is or has been a patient of the Disclosing Party;

(e) any information that, when combined with other available information, could reasonably be used to identify an individual's health status or history.

The Receiving Party agrees that any information disclosed in connection with healthcare services shall be presumed to be PHI unless the Disclosing Party specifically confirms in writing that such information has been properly de-identified in accordance with 45 C.F.R. Section 164.514.
Receiving Party Favor: Narrow definition limited strictly to federal HIPAA requirements with clear carve-outs for de-identified and aggregated data. Appropriate when the receiving party has legitimate business needs to use anonymized healthcare data. 
"Protected Health Information" or "PHI" means only that information which meets all of the following criteria:

(a) the information is "protected health information" as that term is defined in 45 C.F.R. Section 160.103;

(b) the information is received directly from the Disclosing Party or created by the Receiving Party on behalf of the Disclosing Party; and

(c) the information has been specifically designated in writing as PHI by the Disclosing Party at or before the time of disclosure.

The following categories of information shall NOT constitute PHI for purposes of this Agreement:

(i) information that has been de-identified in accordance with 45 C.F.R. Section 164.514(a)-(c), using either the Expert Determination method or the Safe Harbor method;

(ii) aggregated data from which all individual identifiers have been removed and which cannot reasonably be used to identify any individual;

(iii) statistical analyses, reports, or summaries derived from PHI that do not contain individually identifiable information;

(iv) publicly available health information, including information from public health registries or published clinical studies;

(v) information independently obtained by the Receiving Party from sources other than the Disclosing Party without breach of any confidentiality obligation; and

(vi) limited data sets as defined in 45 C.F.R. Section 164.514(e) when disclosed pursuant to a valid data use agreement.

The Disclosing Party shall clearly mark or otherwise identify all PHI at the time of disclosure. Information not so marked shall be treated as standard Confidential Information and not subject to the enhanced protections applicable to PHI.

💬 Key Considerations