Home
Documentation
  1. HIPAA Compliance
  2. Protecting PHI in Your Knack App

What Counts as PHI

What You'll Learn

This article explains what protected health information (PHI) is, what types of data qualify, and how to identify PHI in your Knack app. If you're not sure whether the data in your app needs HIPAA protection, start here.

What Is PHI?

Protected health information (PHI) is any information about a person's health, healthcare, or payment for healthcare that can be linked to a specific individual. It applies to data in any format — digital, paper, or spoken.

When PHI is stored or transmitted electronically (which is the case for any data in your Knack app), it's called electronic protected health information (ePHI). HIPAA's Security Rule specifically governs how ePHI must be protected.

For data to qualify as PHI, it needs two things:

  • It relates to a person's health condition, treatment, or payment for care
  • It includes information that could identify the individual

If either piece is missing, it's not PHI. A list of blood pressure readings with no names or identifiers attached is not PHI. A patient's name connected to a diagnosis is.

The 18 HIPAA Identifiers

HIPAA defines 18 specific identifiers that can link health data to an individual. If your app stores health-related data alongside any of these, that data is PHI:

  • Name
  • Address (anything more specific than state)
  • Dates related to the individual (birth date, admission date, discharge date, date of death — except year)
  • Phone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Vehicle identifiers and serial numbers (including license plates)
  • Device identifiers and serial numbers
  • Web URL
  • IP address
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code
📘

Key point: You don't need all 18 to have PHI. A patient's name plus a diagnosis is PHI. An email address plus a prescription record is PHI. Any single identifier combined with health information qualifies.

Common PHI in Knack Apps

Here are examples of fields and data you might have in a Knack app that would qualify as PHI:

  • Patient name + appointment date
  • Email address + diagnosis or condition
  • Phone number + prescription details
  • Medical record number + lab results
  • Account number + billing amount for a healthcare service
  • Name + insurance plan information
  • Address + treatment notes

Even data that seems harmless on its own can become PHI when combined. A table that stores names in one field and medical conditions in another — that entire table contains PHI.

What Is Not PHI?

Some data that exists in healthcare settings is not PHI:

  • Employment records held by a covered entity in its role as an employer (like HR files)
  • De-identified data — health information that has been stripped of all 18 identifiers following HIPAA's de-identification standards
  • Education records covered by FERPA
  • Aggregate or statistical data that cannot be traced back to an individual

How to Identify PHI in Your Knack App

Walk through your app table by table and ask these questions:

  • Does this table store any health-related information (conditions, treatments, medications, lab results, billing for care)?
  • Does this table include any of the 18 identifiers listed above?
  • Are any tables connected to each other in a way that links health data to identifiable people?

If the answer to the first two questions is yes, that table contains PHI and every page, element, and API call that touches it must be treated accordingly.

📘

Don't forget connections. A table that only stores appointment times might not look like it contains PHI on its own. But if it's connected to a Patients table with names and conditions, the connected data creates PHI.

Next Steps

Updated about 7 hours ago