What Is PHI
PHI stands for Protected Health Information. It's any health data that can identify you individually, covered under HIPAA (Health Insurance Portability and Accountability Act). This includes your name, medical record number, diagnoses, treatment dates, provider names, billing codes, insurance claim details, and even your voice or image if recorded during a medical visit.
In medical billing and insurance appeals, PHI matters because your claim file contains sensitive health information. When you request records to dispute a denied claim, appeal a coverage decision, or file a complaint with your state insurance commissioner, you're handling PHI. Understanding what falls under this protection shapes how you can use, share, and control your own health data during the appeals process.
PHI in Your Appeal Process
When you file an internal appeal of a denied claim, your insurance company must provide you with all PHI related to that decision. This includes the original claim, your EOB (Explanation of Benefits), the medical necessity determination, prior authorization records if one was required, and the specific reason for denial.
Many patients don't realize they have the right to request this information in writing and get it within 30 days under HIPAA rules. Some states, like California and Texas, have stricter timelines: 15 business days. During an external appeal (reviewed by an independent third party, not your insurer), you can submit additional PHI like new clinical evidence or specialist letters to support your case. The external appeal reviewer must consider all PHI provided before making their decision.
Your Rights Over Your PHI
- Access: Request copies of all PHI your insurer and healthcare providers hold about you. This is free once per year; additional copies may have a per-page fee (typically $0.25 to $1.00).
- Amendment: If PHI is incorrect (wrong diagnosis code, wrong treatment date), request a correction in writing. Your provider must acknowledge your request within 60 days.
- Disclosure tracking: You can ask who accessed your PHI and when. This matters if you suspect your appeal information was mishandled.
- Restriction requests: You can ask your insurer not to use certain PHI for treatment decisions, though they can refuse if it affects your care or appeals decisions.
- Sharing control: Your insurer cannot share your PHI with employers, marketers, or third parties without written consent, except as required by law or for treatment/payment/operations.
Common Questions
- Can I use my own medical records in an appeal if they contain other patients' information? No. Redact any PHI belonging to other people before submitting. Keep only the information relevant to your claim and the specific service being appealed.
- Does my insurer have to remove PHI from denial letters before sending them to me? No. Denial letters are yours, so they contain your PHI. However, if you share that letter with an attorney or patient advocate, they must keep it confidential as part of attorney-client privilege or professional obligation.
- What if I discover my provider shared my PHI with the insurance company without my consent during a prior authorization? You can file a HIPAA privacy complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). This doesn't resolve your claim denial, but it creates a record if your provider violated your rights.
Related Concepts
- HIPAA - The federal law that creates PHI protections and your privacy rights
- Privacy Rights - Your specific rights to control and access your health information