Chiropractic Chronicle Archive

HIPAA vs. PHI: Clearing Up the Confusion

Originally published: 2025-10-08

HIPAA compliance is one of the most misunderstood areas of practice management. Chiropractors often think that simply keeping records “confidential” is enough, but HIPAA goes far beyond that. At the heart of the regulation is the concept of Protected Health Information (PHI). Knowing what counts as PHI, and how HIPAA applies to it, is the key to keeping your office compliant and protecting your license.

What Counts as PHI?

Protected Health Information is not limited to patient charts. It includes any information that can identify a patient when combined with health-related data. This means:

• Names, addresses, phone numbers, and email addresses

• Dates of birth, dates of care, or appointment schedules

• Insurance information, account numbers, or billing details

• Even photographs or videos where the patient could be recognized
  

“PHI is more than a patient’s file. If it can identify the patient and is linked to health information, HIPAA applies.”

Common Sources of Confusion

Many chiropractors get tripped up because HIPAA rules extend outside the four walls of the adjusting room. Consider these scenarios:

• A staff member casually discusses a patient’s care with a friend in the waiting room.

• An email reminder about an appointment is sent without encryption.

• A doctor posts a testimonial on social media but forgets to remove identifying details.

• A spouse calls asking for records without written authorization.
  

In each case, HIPAA could be violated because PHI was disclosed without proper safeguards or permission.

HIPAA and Investigations

Another area of confusion is when investigators or agencies request records. While HIPAA restricts disclosure in most cases, there are exceptions for child protective services, law enforcement, or subpoenas. Chiropractors must be clear on when HIPAA applies and when other laws override it. Failing to understand these distinctions can put you in conflict with both regulators and families.

Practical Steps for Compliance

• Train staff regularly on what counts as PHI and how to handle it

• Use encrypted systems for email and electronic records

• Have patients sign appropriate HIPAA authorizations before sharing information

• Maintain written policies for responding to requests from family members, attorneys, or investigators

The Risk Management Bottom Line

Confusion about HIPAA and PHI is no excuse when a complaint or audit comes your way. Chiropractors must know what counts as PHI, when HIPAA applies, and how to respond to requests appropriately. Good intentions are not enough — compliance requires clear knowledge and consistent systems.

ChiroFutures provides practical guidance and resources to help you stay HIPAA compliant. With our risk management services, you can focus on patient care knowing your systems are protecting both your practice and your patients.