Medical information, also called Protected Health Information (PHI) is a special class of information that contains details about an individual's health and identity.

PHI is protected by special laws and regulations that specify the requirements for gathering, storing, transmitting, and disclosure of the information. This information is sensitive and requires additional controls for handling.  Failure to protect the data in accordance with the regulations can result in penalties for the customer and the provider.

Policies that address the special requirements of PHI protections and evidence that these are being followed may be requested.  This may include reviewing data classification guidance, review of any service providers that a SaaS provider may be using, and design or engineering documents showing that the controls have been designed and implemented for PHI.

Protected Health Information (PHI) is a classification of the data specified by HIPAA.  PHI is any information that identifies individuals and contains their medical information.  HIPAA requires that this information be handled properly and protected from disclosure. There are many requirements laid out in HIPAA, including storage, transmission, access, and more.

PHI is sensitive data that requires protection from disclosure.  The handling of this data is specified in the HIPAA regulations, and there are penalties for failing to protect the data properly.  Companies are required to ensure that all their vendors, contractors, and subcontractors with access to PHI handle the information in accordance with HIPAA.

Organizations expect that each aspect of the HIPAA regulation is followed and that all business associates of the organization are bound by business associate contracts to do the same.

A “business associate” is a person or entity, other than an employee, who has access to Protected Health Information (PHI) that the company stores or manages. This may include contractors and subcontractors of the company. The HIPAA Rules generally require that the company and business associates enter into contracts to ensure that the PHI will be appropriately safeguarded. The business associate contract also serves to clarify and limit the permissible uses and disclosures of PHI.

It is required that a business associate contract exist between the parties under HIPAA.  This includes not only a contract between your organization and your customers, but between your organization and individuals or companies that have access to PHI that your company may have.

It is required that all parties who have access to PHI from a company have a business associate contract in place between the companies.  This includes the originating company, any contractors, and any subcontractors.  This is required by HIPAA, which refers to companies as business associates. A covered entity is a company with PHI.