Protected Health Information

## What Protected Health Information Includes

The HIPAA Privacy Rule defines PHI as health information that can be linked to a specific individual and relates to past, present, or future physical or mental health, healthcare provision, or payment for healthcare. The rule identifies 18 specific identifiers that make health information "identifiable" and therefore protected:

- Names (full name, initials, aliases) - Geographic subdivisions smaller than a state (street address, city, county, zip code if fewer than 20,000 people) - Dates related to an individual (birth date, admission date, discharge date, date of death) - Telephone numbers - Fax numbers - Email addresses - Social Security numbers - Medical record numbers - Health plan beneficiary numbers - Account numbers - Certificate/license numbers - Vehicle identifiers and serial numbers - Device identifiers and serial numbers (for medical devices) - Web URLs - IP addresses - Biometric identifiers (fingerprints, retinal scans, voice prints) - Full-face photos and comparable images - Any other unique identifying number, characteristic, or code

When you submit a telehealth intake form describing hair loss patterns, upload photos of thinning areas, discuss erectile function during a video consultation, or provide insurance information to cover a compounded medication, all of that data contains PHI. A 2013 analysis published in the *Journal of the American Medical Informatics Association* (PMID: 23396544) examined HIPAA compliance across health information exchanges and found that the 18-identifier framework creates a clear standard but requires constant vigilance as technology evolves.

## How HIPAA Protects PHI in Telehealth

HIPAA applies to "covered entities" (healthcare providers, health plans, healthcare clearinghouses) and their "business associates" (vendors that handle PHI on their behalf). When ZYNDIO connects you with a licensed provider via asynchronous or synchronous telehealth, both the platform and the contracted providers must comply with HIPAA's Security Rule and Privacy Rule.

The **Privacy Rule** governs how PHI can be used and disclosed. Permitted uses include treatment (your provider reviews your medical history to determine if compounded tirzepatide is appropriate), payment (processing your prescription payment), and healthcare operations (quality improvement, credentialing providers). Any other disclosure requires your written authorization unless a specific exception applies (court order, public health reporting, mandatory abuse reporting).

The **Security Rule** requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). This includes encrypted data transmission during telehealth video calls, access controls that prevent unauthorized staff from viewing patient records, audit logs that track who accessed what information and when, and secure disposal of records when retention periods expire.

A 2018 study in *JAMA Network Open* (PMID: 30646198) surveyed 130 mobile health apps and found that 79% transmitted data to third parties, and only 30% had privacy policies compliant with HIPAA standards. This underscores why choosing a telehealth platform that explicitly adheres to HIPAA matters — especially when discussing sensitive topics like sexual health, weight management with GLP-1 receptor agonists, or hormone optimization.

## Your Rights Under HIPAA

HIPAA grants you specific rights regarding your PHI:

**Right to access:** You can request and receive a copy of your medical records, including consultation notes, lab results, and prescription history. Providers must respond within 30 days (with a possible 30-day extension).

**Right to amend:** If you believe information in your record is incorrect or incomplete, you can request an amendment. The provider may deny the request if they believe the record is accurate, but they must document your disagreement.

**Right to an accounting of disclosures:** You can request a list of instances where your PHI was disclosed for purposes other than treatment, payment, or operations over the past six years.

**Right to request restrictions:** You can ask a provider to limit how they use or disclose your PHI. Providers are not required to agree, except in one circumstance: if you pay out-of-pocket in full for a service and request that information not be shared with your health plan, they must comply.

**Right to confidential communications:** You can request that a provider contact you in a specific way (via secure message rather than phone call, for example) or at a specific location.

**Right to be notified of breaches:** If your PHI is impermissibly accessed or disclosed, you must be notified within 60 days.

When you use telehealth services like ZYNDIO, these rights apply to all PHI generated during consultations, prescription fulfillment, and follow-up care. If you receive compounded semaglutide prescribed after an asynchronous intake, your consultation notes, prescription details, and payment information all fall under these protections.

## When PHI Is Not Protected

Not all health information qualifies as PHI under HIPAA. The Privacy Rule includes two key exclusions:

**De-identified information:** If all 18 identifiers are removed and there is no reasonable basis to believe the information can be used to identify an individual, the data is no longer PHI. Healthcare organizations can use de-identified data for research, quality improvement, and population health analysis without violating HIPAA. A 2019 study in *Health Affairs* (PMID: 31403842) examined re-identification risk in de-identified datasets and found that while the 18-identifier standard provides strong protection, sophisticated adversaries using external datasets can sometimes re-identify individuals, particularly in small geographic areas or rare conditions.

**Information not held by covered entities:** HIPAA only applies to covered entities and their business associates. Health information recorded in non-covered settings (fitness tracker data, direct-to-consumer genetic testing results, social media posts about health) is not PHI unless it is later transmitted to a covered entity. This creates a regulatory gap: many health apps and wearable device companies are not covered by HIPAA, meaning they can collect, use, and sell health data under terms governed only by their privacy policies and general consumer protection laws.

## Common PHI Violations in Telehealth

HIPAA violations occur when PHI is accessed, used, or disclosed without proper authorization or safeguards. Common violations include:

- **Accessing records without a legitimate treatment, payment, or operations reason:** A staff member looking up a friend's prescription history or a provider reviewing records of a patient they are not treating. - **Unencrypted transmission:** Sending patient information via standard email, unencrypted text message, or non-HIPAA-compliant video platforms. - **Improper disposal:** Discarding printed patient records in regular trash rather than shredding them, or failing to wipe data from decommissioned devices. - **Failure to implement business associate agreements:** Contracting with vendors (cloud storage providers, billing companies, telehealth platforms) that handle PHI without a signed agreement specifying HIPAA compliance responsibilities. - **Unauthorized disclosure to family or third parties:** Discussing a patient's condition with family members without the patient's authorization, or sharing information with employers, insurers, or other entities beyond permitted uses.

Penalties for HIPAA violations range from $100 to $50,000 per violation, with annual maximums reaching $1.5 million per violation category. The Department of Health and Human Services Office for Civil Rights enforces HIPAA and publishes a "Wall of Shame" listing breaches affecting 500 or more individuals.

## PHI in the Context of Compounded Medications

When you receive a prescription for a compounded medication through ZYNDIO — whether finasteride for hair loss, tadalafil for erectile function, or tirzepatide for weight management — your prescription details, consultation notes, and follow-up monitoring records all constitute PHI. Compounding pharmacies are covered entities under HIPAA and must protect this information with the same rigor as hospital systems or large retail pharmacies.

One telehealth-specific consideration: because compounded medications are prepared pursuant to individual prescriptions and are not FDA-approved drug products, the prescribing decisions and titration protocols documented in your medical record carry additional significance. If a provider adjusts your semaglutide dose based on tolerance and weight loss trajectory, those clinical notes form part of your PHI and may be relevant if questions arise about appropriateness of care, adverse events, or insurance coverage disputes.

## When to Discuss PHI Concerns With a Provider

You should discuss PHI concerns with a licensed provider or healthcare organization if:

- You believe your information was accessed or disclosed without authorization. - You want to request restrictions on how your PHI is shared. - You need copies of your medical records for personal review or to share with another provider. - You are concerned about a telehealth platform's security practices or privacy policy. - You have questions about who can access your prescription history, lab results, or consultation notes.

Telehealth platforms operating in multiple states must comply with HIPAA at the federal level and may also be subject to state-specific privacy laws (California's Confidentiality of Medical Information Act, for example, imposes stricter standards than federal HIPAA in some areas). If you have concerns about how your health information is being handled, ask your telehealth provider for a copy of their Notice of Privacy Practices, which HIPAA requires covered entities to distribute and make available upon request.

**Medical Disclaimer**

The information in this article is for general education only and is not a substitute for professional medical advice, diagnosis, or treatment. Always consult a licensed healthcare provider before starting, stopping, or changing any medication. ZYNDIO connects adults with licensed providers via telehealth; the providers — not ZYNDIO — make all clinical decisions. Compounded medications dispensed through ZYNDIO partners are not FDA-approved drug products. They are prepared by state-licensed compounding pharmacies pursuant to a valid prescription. Individual results vary. Side effects, drug interactions, and contraindications exist for every therapy discussed here.

Last reviewed: 2026-04-25 by ZYNDIO Clinical Editorial Team (PharmD-led)

## FAQ

**Can my employer access my PHI if I use telehealth for a work-related health screening?**

No, unless you provide written authorization. Even in occupational health settings, HIPAA restricts disclosure of your health information to your employer beyond what is necessary for workplace accommodation or workers' compensation. If you consult a telehealth provider for a DOT physical, pre-employment drug screen, or fitness-for-duty evaluation, the provider can share only the minimum information required (pass/fail status, restrictions, return-to-work date) and cannot disclose diagnostic details or treatment information without your consent.

**Is PHI shared when I transfer a prescription from one pharmacy to another?**

Yes, but this is a permitted use under HIPAA for treatment and payment purposes. When you request a prescription transfer, the receiving pharmacy contacts the original pharmacy to obtain prescription details (medication, dose, refills remaining, prescriber information). No separate authorization is required because this facilitates continuity of your care. However, pharmacies cannot share your prescription history with third parties (employers, family members, law enforcement) without your authorization or a valid legal order.

**What happens if my telehealth platform experiences a data breach?**

Under HIPAA's Breach Notification Rule, the platform must notify you within 60 days if your unsecured PHI was accessed, acquired, used, or disclosed in a way that compromises its security or privacy. The notification must describe what information was involved, what the platform is doing in response, and what steps you can take to protect yourself. Breaches affecting 500 or more individuals must also be reported to the Department of Health and Human Services and, in some cases, to the media. You have the right to file a complaint with HHS Office for Civil Rights if you believe a breach was not properly handled.

**Can I request that my telehealth consultation notes not be shared with my insurance company?**

Yes, if you pay out-of-pocket in full for the service. HIPAA grants you the right to request that a provider not disclose PHI to a health plan if you have paid for the service completely out-of-pocket and the disclosure is for payment or healthcare operations purposes (not treatment). This applies to telehealth consultations and prescription medications. However, if you later submit a claim to your insurance for the same service, the provider may be required to disclose the information at that time.

**Does HIPAA apply to health information I share on social media or fitness apps?**

No, unless that information is later transmitted to a HIPAA-covered entity. Social media platforms, fitness trackers, and most direct-to-consumer health apps are not covered by HIPAA. They collect, use, and share health data under their own privacy policies and general consumer protection laws. If you sync your fitness tracker data with a patient portal at a HIPAA-covered clinic, however, that data becomes PHI once it enters the covered entity's system and gains HIPAA protections at that point.