Protected health information (PHI) under U.S. law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.
source: i run Wyndly (YC W21 https://www.wyndly.com), which is most easily understood as a telehealth allergist online.
Sure, that's the definition of PHI but is ESHYFT a HIPAA covered entity? If not then the definition of PHI isn't legally relevant (although they still have an ethical requirement to secure employee data, and might have violated other data protection laws).
source: i run Wyndly (YC W21 https://www.wyndly.com), which is most easily understood as a telehealth allergist online.