---
title: "PHI — AP Cybersecurity Definition & Exam Guide"
description: "PHI (Protected Health Information) is sensitive medical data governed by law. Learn what counts as PHI, why it's high-risk, and how it shows up on the AP Cybersecurity exam."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/phi"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 5"
---

# PHI — AP Cybersecurity Definition & Exam Guide

## Definition

PHI (Protected Health Information) is sensitive medical data, like patient names, birthdates, and medical record numbers, that is governed by laws and regulations and counts as a high-value target whose compromise creates serious data security risk.

## What It Is

PHI stands for **[Protected Health Information](/ap-cybersecurity/key-terms/protected-health-information "fv-autolink")**. It's the medical version of sensitive personal data: patient names tied to health records, birthdates, medical record numbers, diagnoses, and anything else that links a real person to their medical care. Because laws and regulations protect this data, PHI sits in the "highly sensitive" bucket the CED flags in EK 5.1.C.2.

In [AP Cybersecurity](/ap-cybersecurity "fv-autolink") terms, PHI matters because of what happens when it leaks. EK 5.1.C.1 breaks data risk into the CIA triad: confidentiality (unauthorized people see it), integrity (someone alters it), and availability (it gets destroyed or [encrypted](/ap-cybersecurity/unit-1/best-practices-for-public-networks/study-guide/nli0fCFfA8OIiMHEGsBP "fv-autolink") out of reach). PHI is a prime example of data where all three really hurt. A healthcare provider storing patient names, birthdates, and medical record numbers in a weakly encrypted database is exactly the kind of high-risk scenario the CED describes, sensitive regulated data exposed to a likely exploit.

## Why It Matters

PHI lives in **[Unit 5](/ap-cybersecurity/unit-5 "fv-autolink"): Securing Applications and Data**, topic 5.1. It supports learning objective AP Cybersecurity 5.1.C, where you assess and document risks from data vulnerabilities. The reason PHI keeps coming up is the risk-rating logic in EK 5.1.C.2: high [risk](/ap-cybersecurity/key-terms/risk "fv-autolink") means highly sensitive data (the kind governed by laws or regulations) facing a likely exploit. PHI checks both boxes. When you do a risk assessment on the exam, PHI is the data type that pushes a finding into the high-severity zone, so recognizing it tells you how serious a vulnerability really is.

## Connections

### PII (Personally Identifiable Information) (Unit 5)

PHI is basically PII with a medical layer on top. PII is any data that identifies a person; PHI is that identity tied to health records. Both are regulated, both are high-risk, and on the exam they trigger the same "highly [sensitive data](/ap-cybersecurity/key-terms/sensitive-data "fv-autolink")" reasoning.

### PCI (Payment Card Industry data) (Unit 5)

PHI, PII, and PCI are the three big categories of regulated, high-value data. PCI covers credit card info. Spotting which category you're looking at is how you justify a high risk rating in a 5.1.C assessment.

### [Data at rest (Unit 5)](/ap-cybersecurity/key-terms/data-at-rest)

The classic PHI scenario is a database with weak encryption, which is PHI sitting as [data at rest](/ap-cybersecurity/key-terms/data-at-rest "fv-autolink"). EK 5.1.A.1 warns that anyone with drive access can read unencrypted files, so PHI at rest with bad encryption is a confidentiality breach waiting to happen.

### Application attacks like SQL injection (Unit 5)

PHI usually lives in a database behind a web application, so the attacks in 5.1.B ([SQL injection](/ap-cybersecurity/key-terms/sql-injection "fv-autolink"), weak input checks) are often the path an adversary takes to steal it. The vulnerability is the door; PHI is what's behind it.

## On the AP Exam

Expect PHI in multiple-choice questions as the answer to "which term describes this sensitive data at risk?" A typical stem describes a healthcare provider storing patient names, birthdates, and medical record numbers in a weakly encrypted database, and you pick the data category. Your job is recognition plus risk reasoning: identify the data as PHI, then connect it to the high-risk logic in EK 5.1.C.2 (regulated data + likely exploit = high severity). No released FRQ has used PHI verbatim, but it fits cleanly into any risk-documentation prompt under 5.1.C where you weigh impact against likelihood.

## PHI vs PII

PII is the broad category of data that identifies a person (name, SSN, email). PHI is the narrower, healthcare-specific slice: identifying data linked to medical records, diagnoses, or treatment. Every piece of PHI involves PII, but plenty of PII isn't PHI. If the scenario mentions a hospital, clinic, patient, or medical records, reach for PHI.

## Key Takeaways

- PHI (Protected Health Information) is sensitive medical data like patient names, birthdates, and medical record numbers that is protected by law.
- Because PHI is regulated and highly sensitive, it triggers the high-risk rating described in EK 5.1.C.2 during a data risk assessment.
- PHI compromise can hit any part of the CIA triad: confidentiality if it's seen, integrity if it's altered, availability if it's destroyed or encrypted.
- PHI is PII with a medical layer; it's still PII, just the healthcare-specific kind.
- A weakly encrypted database of patient records is the textbook PHI-at-risk scenario the exam uses.

## FAQs

### What is PHI in AP Cybersecurity?

PHI is Protected Health Information, meaning sensitive medical data tied to a real person, such as patient names, birthdates, and medical record numbers. The CED treats it as highly sensitive, regulated data, so it counts as a high-risk asset in a data risk assessment under topic 5.1.

### Is PHI the same as PII?

No, not exactly. PHI is a specific type of PII tied to health and medical records. All PHI is PII, but most PII (like your email or home address alone) isn't PHI. If a question mentions a hospital, clinic, or patient records, it's pointing at PHI.

### Why is PHI considered high risk on the AP exam?

Because EK 5.1.C.2 says high risk comes from highly sensitive data, especially data governed by laws or regulations, that faces a likely exploit. PHI is legally protected and very sensitive, so exposing it lands you squarely in the high-severity category.

### How does PHI connect to encryption and data at rest?

PHI is usually stored in databases, which makes it data at rest. EK 5.1.A.1 warns that unencrypted files can be read by anyone with drive access, so a weakly encrypted PHI database is a classic confidentiality vulnerability the exam likes to test.

### What kinds of data count as PHI?

Anything that links a person to their healthcare: patient names, birthdates, medical record numbers, diagnoses, and treatment details. The signal in an exam scenario is a healthcare provider plus identifiable patient information.

## Related Study Guides

- [5.1 Application and Data Vulnerabilities and Attacks](/ap-cybersecurity/unit-5/application-and-data-vulnerabilities-and-attacks/study-guide/T25I7qaDw4w4XT1rkAYr)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/phi#resource","name":"PHI — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/phi","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/phi#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:30.592Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/phi#term","name":"PHI","description":"PHI (Protected Health Information) is sensitive medical data, like patient names, birthdates, and medical record numbers, that is governed by laws and regulations and counts as a high-value target whose compromise creates serious data security risk.","url":"https://fiveable.me/ap-cybersecurity/key-terms/phi","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 5, Topic 5.1, LO 5.1.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 5, Topic 5.1, LO 5.1.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 5, Topic 5.1, LO 5.1.C"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is PHI in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"PHI is Protected Health Information, meaning sensitive medical data tied to a real person, such as patient names, birthdates, and medical record numbers. The CED treats it as highly sensitive, regulated data, so it counts as a high-risk asset in a data risk assessment under topic 5.1."}},{"@type":"Question","name":"Is PHI the same as PII?","acceptedAnswer":{"@type":"Answer","text":"No, not exactly. PHI is a specific type of PII tied to health and medical records. All PHI is PII, but most PII (like your email or home address alone) isn't PHI. If a question mentions a hospital, clinic, or patient records, it's pointing at PHI."}},{"@type":"Question","name":"Why is PHI considered high risk on the AP exam?","acceptedAnswer":{"@type":"Answer","text":"Because EK 5.1.C.2 says high risk comes from highly sensitive data, especially data governed by laws or regulations, that faces a likely exploit. PHI is legally protected and very sensitive, so exposing it lands you squarely in the high-severity category."}},{"@type":"Question","name":"How does PHI connect to encryption and data at rest?","acceptedAnswer":{"@type":"Answer","text":"PHI is usually stored in databases, which makes it data at rest. EK 5.1.A.1 warns that unencrypted files can be read by anyone with drive access, so a weakly encrypted PHI database is a classic confidentiality vulnerability the exam likes to test."}},{"@type":"Question","name":"What kinds of data count as PHI?","acceptedAnswer":{"@type":"Answer","text":"Anything that links a person to their healthcare: patient names, birthdates, medical record numbers, diagnoses, and treatment details. The signal in an exam scenario is a healthcare provider plus identifiable patient information."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 5","item":"https://fiveable.me/ap-cybersecurity/unit-5"},{"@type":"ListItem","position":4,"name":"PHI"}]}]}
```
