Protected health information (PHI) is any patient medical or health data an organization collects, stores, processes, or transmits. Its sensitive nature triggers specific legal security requirements, making it a key example of how data classification drives the controls applied to it.
Protected health information, usually shortened to PHI, is the medical and health-related data a healthcare organization handles about a patient. Think patient records, diagnoses, treatment history, and any data that links a person to their health. Because this data is so sensitive, the law forces organizations to lock it down with specific security controls.
In AP Cybersecurity, PHI is the textbook example of EK 5.2.A.1: organizations apply security controls based on the type of data they collect, store, process, and transmit. The data's classification dictates the protection. PHI gets heavy controls (like encryption and tight access rules) precisely because of what it is, not just where it lives. It's the same logic behind payment card information (PCI), just for health data instead of credit cards.
PHI lives in Unit 5: Securing Applications and Data, specifically topic 5.2 on managerial controls and access controls. It's the go-to illustration for learning objective AP Cybersecurity 5.2.A, which asks you to explain how a data's classification changes the type and degree of security applied to it. PHI also threads into 5.2.C and 5.2.D, because deciding who gets to read or modify a patient's record is an access-control problem. The big takeaway the exam wants: legal requirements drive security choices, and PHI is the clearest case of that cause and effect.
Keep studying AP Cybersecurity Unit 5
Visual cheatsheet
view galleryPayment card information / PCI (Unit 5)
PHI and PCI are twins. Both are sensitive data categories that trigger legal security requirements, just for different industries. PHI is health data; PCI is credit card data. If you understand why PHI needs encryption and access limits, you already understand PCI.
Data states: at rest and in transit (Unit 5)
PHI doesn't get protected the same way everywhere. Stored on a server, it's data at rest and needs encryption so a stolen drive is useless. Sent between devices, it's data in transit and needs protected channels. Same data, different controls depending on its state.
Role-based access control / RBAC (Unit 5)
Protecting PHI isn't only about encryption, it's about who can touch it. RBAC (EK 5.2.C.2) lets a hospital say only a treating physician's role can open a patient's chart. That's the access-control half of locking down health data.
Data loss prevention / DLP (Unit 5)
DLP tools watch for sensitive data trying to leave an organization. PHI is exactly the kind of data DLP is built to catch, blocking a patient record from being emailed out or copied to a USB drive.
Expect PHI in multiple-choice questions in two flavors. First, identification: a stem asks which option is an example of protected health information, and you pick the patient medical record over a credit card number or a public address. Second, scenario application: a hospital encrypts patient records on a server, or limits which employees can view records for patients they treat, and you name the control (encryption, access control, RBAC). No released FRQ has used this term verbatim, but it's prime material for explaining how data classification drives security decisions, the exact thinking AP Cybersecurity 5.2.A rewards.
Both are sensitive data types that demand strong controls, so it's easy to mix them up. The difference is just the content: PHI is health and medical data (diagnoses, patient records), while PCI is payment card data (credit card numbers, cardholder info). A question testing this gives you a list and asks which one fits, so anchor on the word 'health' versus 'payment.'
Protected health information (PHI) is patient medical and health data, and it's the classic example of data whose classification forces specific security controls.
PHI illustrates EK 5.2.A.1: organizations apply controls based on the type of data they handle, because the law requires it.
Protecting PHI means both encryption (so stolen data is unreadable) and access control (so only authorized roles can view it).
PHI and PCI work the same way conceptually; PHI is health data, PCI is payment card data.
On the exam, you'll either identify PHI from a list or name the control protecting it in a healthcare scenario.
It's any patient medical or health data an organization collects, stores, processes, or transmits, like medical records or diagnoses. In Unit 5, it's the main example of how a data's classification triggers stronger, legally required security controls.
Both are sensitive data types needing strong protection, but PHI is health and medical data while PCI is credit card and payment data. On a multiple-choice question, look at the content: a patient record is PHI, a credit card number is PCI.
No. Encryption protects PHI from being read if it's stolen, but access control matters just as much. A hospital uses role-based access control (RBAC) so only the treating clinician's role can open a patient's chart, so the full answer is encryption plus access control.
Because legal requirements force it. EK 5.2.A.1 says organizations implement specific controls based on the types of data they handle, and health data is sensitive enough that the law mandates strong protection.
Mostly in multiple-choice. Some questions ask you to identify which option is PHI; others give a healthcare scenario (encrypted patient records, limited employee access) and ask you to name the security control being used.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.