Protected health information value estimator (PHIve)

The Protected Health Information Value Estimator (PHIve) applies a practical methodology for protected health information (PHI) protectors to calculate the potential (or actual) cost of a data breach to their organization.

The purpose of this tool is to help PHI protectors understand the financial impact of a PHI breach so they can evaluate and recommend the appropriate investments necessary to mitigate the risk of a data breach. This helps reduce potential financial exposure while strengthening the organizations reputation as a protector of the PHI entrusted to their care.

This methodology is described in greater detail with examples in the American National Standards Institute (ANSI) publication, The Financial Impact of Breached Protected Health Information. ANSIs publication is available at the ANSI website:

The five steps in PHIve are described below:

  1. Assess Risks
  2. Security Readiness Score
  3. Determine Relevance
  4. Determine Potential Repercussions
    • Reputational Repercussions
      Financial Repercussions
      Legal and Regulatory Repercussions
      Operational Repercussions
      Clinical Repercussions
  5. Total the Impacts

This tool will not make decisions for you, but it will help you organize your thinking as you consider the enterprise risk management implications of a breach of protected health information.

Protected Health Information Image

This tool is available only to affiliates of the University of California.

Additional Resources

This methodology is adapted from The Financial Impact of Breached Protected Health Information by the American National Standards Institute (ANSI), and available for purchase on the PHI project website at