Skip to content
FonteumThe Graph

By use case

Exclusion & monitoring (self-serve)Free roster screen — no accountExclusion & sanctions screeningCredentialing & provider-data enrichmentAudit evidence & defensible programsProvider data for AI / RAGM&A & network diligence

By buyer

Compliance & riskJournalists & newsroomsDevelopers & AI teams

By industry

HealthcareProviders & facilitiesSanctionsOFAC / EU / UK / UN / OIG / SAMFederal contractingSAM · USASpending · FAPIIS

The capability layer

APIREST + bulk accessMCP serverCallable by AI agentsFHIR R4 APIBulk exportAttestation & audit packReconciliationSource-vs-source diffsGrounded answersAI citation assetEntity graphSnapshotsPoint-in-time, bitemporal

The differentiator

Coverage & sourcesThe catalogFreshnessMethodologyCare CompareFacility qualityCompare grounded answersBrowse all datasets →
Research

The dev on-ramp

DocsAPI referenceMCP — connect your agentOne-paste installFHIR sandboxLive API surfaceQuickstartStatusChangelogSDKs & integrations
Pricing
Sign inFree roster screen →Get a signed certificate →

Solutions

Exclusion & monitoring (self-serve)Exclusion & sanctions screeningCredentialing & provider-data enrichmentAudit evidence & defensible programsProvider data for AI / RAGM&A & network diligenceCompliance & riskJournalists & newsroomsDevelopers & AI teamsHealthcareSanctionsFederal contracting

Platform

APIMCP serverFHIR R4 APIBulk exportAttestation & audit packReconciliationGrounded answersEntity graphSnapshots

Data

Coverage & sourcesFreshnessMethodologyCare CompareCompare grounded answersBrowse all datasets →
Research

Developers

DocsAPI referenceMCP — connect your agentFHIR sandboxQuickstartStatusChangelogSDKs & integrations
Pricing
Sign inFree roster screen →Get a signed certificate →
  1. Fonteum
  2. /
  3. Glossary
  4. /
  5. PHI
Fonteum Data GlossaryRegulatory

PHI: Definition and Healthcare Context

Full name: Protected Health Information

Protected Health Information (PHI) is any individually identifiable health information held or transmitted by a HIPAA covered entity or business associate, in any form or medium. PHI includes diagnoses, treatment records, payment information, and any data that could identify the individual — name, address, dates of service, Social Security number, and 16 other identifiers enumerated in the HIPAA Privacy Rule. De-identified information that cannot reasonably be used to identify an individual is not PHI and falls outside HIPAA's Privacy Rule protections.

Last updated: 2026-06-20Reviewed by: Dr. Jennifer Montecillo, MD — Gullas College of Medicine, 2019. Non-practicing medical reviewer.

How it’s used

  • CMS NPPES NPI Registry: NPPES bulk data is not PHI — provider names and business addresses are not patient information. Fonteum uses it to build provider profiles without handling patient data.
  • HIPAA Privacy Rule (45 CFR Parts 160 and 164): the Privacy Rule enumerates the 18 identifiers that turn health information into PHI and governs how covered entities may use or disclose it — the boundary Fonteum stays outside of by sourcing only public provider-level records.
  • CMS public-use files: every dataset Fonteum ingests — NPPES, PECOS, Open Payments, Care Compare — is a provider-level or de-identified public file, so no PHI enters the provenance graph.

Frequently asked questions

What is PHI?
PHI (Protected Health Information) is individually identifiable health information — any data that could identify a patient combined with their health, treatment, or payment information.
What are examples of PHI?
PHI includes patient names, dates of service, geographic data below the state level, phone numbers, email addresses, Social Security numbers, medical record numbers, and diagnosis or treatment information.
Is de-identified data still PHI?
No. Data that has been de-identified using the HIPAA Safe Harbor or Expert Determination method is not considered PHI and falls outside the Privacy Rule.

Related terms

  • HIPAA
  • EHR
  • FHIR
  • CMS
  • Prior Authorization

Authoritative sources

  • HHS: What is PHI? (HIPAA Privacy Rule)↗
  • HHS: Guidance on de-identification↗
← All glossary terms

The substrate, by the numbers

9.2Mgraph entitiesProviders, organizations, owners, and facilities
15.7Mlinked identifiersNPIs, CCNs, LEIs and more, resolved to entities
5Mgraph edgesSource-attested relationships between entities
44federal source familiesDistinct CMS, OIG, HRSA, FDA and peer datasets
35dataset pagesCitable, downloadable /data catalog pages
70reproducible studiesEach shipping the SQL behind its figures

Built on the authoritative federal record

The primary sources, named on every page.

These are the federal agencies whose public datasets Fonteum ingests and attributes — the issuing authorities, not customers or partners. Every figure on the site links back to one of them.

  • CMS
  • HHS-OIG
  • HRSA
  • FDA
  • NLM
  • NUCC
  • Census
  • BLS
  • BEA

See the full source registry, with license and refresh cadence for each →

Reproducible by design

Every figure traces to its federal source.

14-tuple provenance

Every rendered fact ties to a source URL, dataset ID, snapshot date, row key, and SHA-256 — the full chain-of-custody record.

Reproducible SQL

Each study ships the exact query behind its figures, run against the cited federal snapshot. Re-run it yourself.

Daily count checks

Published counts are checked against the upstream federal datasets on a daily cadence, with drift logged.

Named medical review

Reviewed by Jennifer Montecillo, MD, medical reviewer. Non-practicing medical reviewer.

Read the full provenance and attestation methodology →

Two doors

Use the free API and open data

Query providers, facilities, sanctions, and quality scores — each field carrying its federal source. Self-serve, no call to start.

Explore the API →Browse the data catalog →

Talk to us

Managed pilots, enterprise terms, and audit-ready, signed attestation packages for compliance, risk, and research teams.

Talk to us →
Fonteum
Platform
Platform overviewAPIMCP serverFHIR R4 APIBulk exportAttestation & audit packReconciliationGrounded answersEntity graphSnapshots
Solutions
All solutionsExclusion & sanctions screeningCredentialing & enrichmentAudit evidenceProvider data for AI / RAGM&A & network diligenceCompliance & riskJournalists & newsroomsDevelopers & AI teams
Data & sources
Coverage & sourcesBrowse all datasetsState Medicaid exclusionsFreshnessMethodologyCare CompareSanctions screeningOIG LEIE listOwnershipStaffingDeficienciesSpecial Focus Facilities
Federal contracting
OverviewAwards during active exclusionFederal debarment scorecardProcurement questionsContractor lookup8(a) certification guide
Developers
Developer hubDocsAPI referenceQuickstartStatusChangelogSDKs & integrationsWebhooks
Research & guides
Research hubGuidesHealthcare provider dataExclusion & sanctions screeningProvider credentialing dataHealthcare data for AIHospital margin gapProvider access gapsGlossaryComparisonsGrounded data vs LLM answersCitationsManifestoWhy Fonteum
Company
AboutPressCustomersPricingContactEditorial policyCorrections
Trust & legal
TrustTrust markQualitySecurityPrivacy policyTerms of serviceAPI & MCP termsMedical disclaimer

Reviewed by Jennifer Montecillo, MD, medical reviewer. Non-practicing medical reviewer.

© 2026 Fonteum LLC. All rights reserved.

·hello@fonteum.com

The U.S. healthcare graph AI can cite — every fact carries its source.

Every fact Fonteum serves carries a signed, re-checkable trust mark — source, as-of date, and an Ed25519 signature travel with the data. Re-check any fact at fonteum.com/verify · the trust-mark standard (W3C Verifiable Credentials 2.0, C2PA-aligned).
Request access→