Protected Health Information (PHI)
What is Protected Health Information (PHI)?
Protected Health Information (PHI) is any health-related information that can be used to identify a person.
Details about someone’s mental or physical health, treatments, payments, or other similar info, is typically considered health information.
When health-related information is tied to a name, phone number, profile photo, client ID, or any other identifier, it’s considered Protected Health Information.
Why it Matters for Beauty and Bodywork Professionals
- Many beauty and bodywork services involve intake and treatment notes that include health information like skin conditions, allergies, and current meds
- If you experience a data breach, it can lead to lost client trust, legal actions, and other financial costs
- The right insurance can help pay for data breach-response costs
What Common PHI Situations Should Beauty and Bodywork Pros Expect?
Beauty and bodywork professionals can interact with client health information and protected health information in a variety of ways.
- Intake/consent forms may contain details about a client’s medical history, medications, allergies, and more
- Before/after photos may be linked to a client’s name or profile that includes additional health information
- Treatment notes may be stored in booking or point of sale apps, or included in staff emails
- Texts/DMs could contain details about client conditions or reactions on your personal phone
- Shared devices at the front desk could allow access to client information without the protection of passwords or screen locks
- Exports (CSVs/PDFs) of client lists may contain information that links clients to their health information
PHI Do’s and Don’ts for Studios, Salons, and Mobile Pros
Even when you don’t work in a medical facility, protecting clients’ personal health information is essential.
Swipe →
| Do | Don't |
|---|---|
|
Use passwords, screen locks, and role-based access on all systems |
Leave paper forms on counters or other unsecured spaces |
|
Encrypt devices and cloud storage; turn on multifactor authentication (MFA) |
Post identifiable photos without explicit, current consent |
|
Keep only what you need; securely destroy old records on a schedule |
Discuss client conditions in open areas or unencrypted group chats
|
|
Store PHI in approved systems and not in personal emails or messages |
Transport unsecured loose files
|
|
Get written consent for taking photos and using any of their info for marketing purposes |
Share logins or use a single password for everyone |
|
Train staff regularly on privacy basics
|
|
How Can Insurance Help Protect My Business?
Cyber liability insurance is an optional coverage available to BBI policyholders. It’s designed to help pay for data breaches and cyberattacks, including expenses like:
- Lawyer fees
- Settlement costs
- Credit monitoring
- Money lost to cyber scams or fraud
- Recovering lost data and fixing broken systems
- Hiring tech experts to figure out what happened
Coverage depends on policy wording and endorsements. Check your declarations page and talk to your agent about adding cyber liability insurance.
What To Do If Protected Health Information Is Exposed (First 24 Hours)
- Secure the situation: Disable accounts, change passwords, recover devices, stop further sharing
- Document: Record facts, the who/what/when/where; list data types involved; save screenshots and file names
- Notify: Inform your insurer immediately to start the claim process and access data breach resources/legal guidance
- Preserve evidence: Don’t wipe affected devices/systems until forensics tells you to do so
- Plan notifications: Prepare clear client messaging per insurer and legal guidance
- Tighten controls: Turn on MFA, update policies, retrain staff
Additional Resources
Related Terms
- Data Breach
- Cyber Liability Insurance
- Declarations Page
- Endorsement
- Exclusion
- Insurance Claim
