Medical information, also called Protected Health Information (PHI) is a special class of information that contains details about an individual's health and identity.

PHI is protected by special laws and regulations that specify the requirements for gathering, storing, transmitting, and disclosure of the information. This information is sensitive and requires additional controls for handling.  Failure to protect the data in accordance with the regulations can result in penalties for the customer and the provider.

Policies that address the special requirements of PHI protections and evidence that these are being followed may be requested.  This may include reviewing data classification guidance, review of any service providers that a SaaS provider may be using, and design or engineering documents showing that the controls have been designed and implemented for PHI.

Protected Health Information (PHI) is a classification of the data specified by HIPAA.  PHI is any information that identifies individuals and contains their medical information.  HIPAA requires that this information be handled properly and protected from disclosure. There are many requirements laid out in HIPAA, including storage, transmission, access, and more.

PHI is sensitive data that requires protection from disclosure.  The handling of this data is specified in the HIPAA regulations, and there are penalties for failing to protect the data properly.  Companies are required to ensure that all their vendors, contractors, and subcontractors with access to PHI handle the information in accordance with HIPAA.

Organizations expect that each aspect of the HIPAA regulation is followed and that all business associates of the organization are bound by business associate contracts to do the same.