Are Medical Records Considered PHI Under HIPAA? What Counts (and What Doesn’t)

When you ask “Are medical records considered PHI under HIPAA?”, you’re really asking how the HIPAA Privacy Rule defines, protects, and limits the use of health data. The answer is largely yes—but with important boundaries, de-identification options, and regulatory exceptions that shape what you can collect, use, and disclose.

This guide clarifies what counts as Protected Health Information, where medical records fit, what is excluded, how De-Identification Methods work, and how employment and education records intersect with FERPA Compliance. You’ll also see practical implications for Covered Entities and their partners.

Defining Protected Health Information

Protected Health Information (PHI) is a subset of Individually Identifiable Health Information created or received by a Covered Entity or its business associate. It relates to an individual’s past, present, or future physical or mental health or condition, the provision of care, or payment for care, and it identifies the person or could reasonably be used to identify them.

PHI can exist in any form—paper, electronic, or oral. Typical identifiers include names, contact details, full-face photos, medical record or account numbers, device and biometrics identifiers, and precise geolocation or dates tied to an individual (for example, admission and discharge dates beyond the year).

• Covered Entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses.
• Business associates handle PHI for Covered Entities (for example, billing, analytics, cloud hosting) and must follow the HIPAA Privacy Rule via contracts.

Identifying Medical Records as PHI

Medical records maintained by a Covered Entity (or a business associate on its behalf) are PHI. That includes clinician notes, histories, diagnoses, test results, imaging, prescriptions, care plans, discharge summaries, and billing and claims records associated with an identifiable person.

Metadata and system logs that can be linked back to a patient—such as audit trails of chart access, portal activity, or device identifiers tied to a specific record—are also PHI. While “designated record set” affects an individual’s right of access, it does not limit what is PHI. For example, psychotherapy notes remain PHI but receive special protection and are excluded from the right of access.

Exclusions from PHI Under HIPAA

Not all health-related information is PHI. These key exclusions shape what HIPAA does not regulate:

• De-identified information that meets HIPAA’s standards (discussed below).
• Employment records held by a Covered Entity in its role as employer (for example, FMLA certifications, drug testing results, or ADA accommodation files).
• Education records and certain student treatment records protected by FERPA.
• Health information about a person who has been deceased for more than 50 years.

Remember: regulatory exceptions in the HIPAA Privacy Rule permit some uses and disclosures of PHI without authorization (for example, public health reporting or certain law-enforcement needs), but those disclosures do not convert PHI into non-PHI.

De-Identified Information Standards

Two De-Identification Methods

HIPAA recognizes two De-Identification Methods that, when properly applied, remove data from PHI status:

• Safe Harbor: remove all specified direct and quasi-identifiers (for example, names, detailed addresses below the state level, contact numbers, full-face photos, specific dates other than year, and unique numbers like SSN or MRN), and have no actual knowledge that remaining information can identify the person.
• Expert Determination: a qualified expert applies accepted principles to determine that the risk of re-identification is very small and documents the methods, results, and assumptions.

Limited Data Set versus De-Identified Data

A limited data set removes many direct identifiers but can retain certain elements (for example, dates and some geography). It is still PHI and may be used or disclosed only for research, public health, or health care operations under a data use agreement. Fully de-identified data, by contrast, is not PHI and is outside the HIPAA Privacy Rule.

Re-Identification Controls

If you generate a code to re-identify records, it cannot be derived from removed identifiers (like a hash of a name), and you must keep the key separately with strict access controls and governance documentation.

Employment and Education Records Exemptions

Employer Health Records

Employer Health Records maintained by an employer in its HR capacity are not PHI under HIPAA, even if the employer also operates a health clinic. These files are typically governed by other laws (for example, the ADA, FMLA, workers’ compensation rules) and internal confidentiality policies. Keep them separate from clinical systems, limit access to need-to-know personnel, and avoid mixing them with medical records.

FERPA Compliance for Student Records

Most health records maintained by K–12 schools or postsecondary institutions about students are education records or FERPA “treatment records,” not PHI. FERPA gives parents and eligible students rights to access and privacy. If a student receives care at an external hospital or a clinic not acting on behalf of the school, those records are typically HIPAA PHI; the same student’s on-campus nurse record may be FERPA-protected instead.

Implications of Non-PHI Health Data

Health data created or held outside HIPAA—such as information in a consumer wellness app without a business associate agreement—is not PHI, but it is not unregulated. The FTC Act, the Health Breach Notification Rule, state consumer privacy laws, and data breach statutes can still apply, along with contractual promises you make in privacy notices.

For practical compliance, you should map data flows, classify systems as HIPAA or non-HIPAA, execute a business associate agreement when vendors handle PHI, and apply consistent privacy and security controls across both categories. Make sure marketing uses of non-PHI health data do not mislead users and are compatible with your notices.

Compliance and Legal Considerations

Effective HIPAA compliance starts with scope. Inventory PHI, pinpoint Covered Entities and business associates, and document Regulatory Exceptions you rely on. Apply the minimum necessary standard, role-based access, workforce training, and routine risk analyses, and maintain audit logs that align with your privacy and security policies.

• Implement BAAs with vendors that create, receive, maintain, or transmit PHI for you, and verify their safeguards.
• Support individual rights: access, amendments, restrictions, confidential communications, and an accounting of disclosures where required.
• Harden systems: encryption, authentication, monitoring, and incident response. Follow breach notification rules when there is an impermissible use or disclosure.
• Document De-Identification Methods, data use agreements for limited data sets, and any expert determinations.
• Align overlapping regimes (for example, FERPA Compliance for student records and non-HIPAA consumer data laws) so policies do not conflict.

Key Takeaways

• Medical records held by Covered Entities or their business associates are PHI under the HIPAA Privacy Rule.
• Some information is outside HIPAA: de-identified data, Employer Health Records, and FERPA-protected student records.
• Use Safe Harbor or Expert Determination to de-identify; limited data sets remain PHI and require agreements.
• Non-PHI health data still carries obligations under other laws and your own privacy promises.

FAQs

What types of information qualify as PHI under HIPAA?

PHI is Individually Identifiable Health Information created or received by a Covered Entity or business associate that relates to health status, care, or payment and that identifies the person (or could reasonably do so). Examples include clinical notes, lab results, claim numbers, contact details, precise geolocation tied to care, device IDs linked to a patient, and images that reveal identity.

How is de-identified information treated under HIPAA?

Once properly de-identified via Safe Harbor or Expert Determination, the data is no longer PHI and falls outside the HIPAA Privacy Rule. A limited data set is different: it removes many direct identifiers but remains PHI, can be used for specified purposes, and requires a data use agreement and safeguards.

Are employer-maintained health records protected by HIPAA?

No. Employment records kept by an employer in its HR role are not PHI under HIPAA, even if they contain health information. They are typically governed by other laws and policies, and should be stored separately from clinical systems with strict access controls.

What protections apply to student health records under HIPAA?

Student health records maintained by schools are generally protected by FERPA, not HIPAA. FERPA grants access and privacy rights and governs disclosures. If a student is treated at a provider unaffiliated with the school, those encounter records are typically HIPAA PHI, while the school’s own student records remain under FERPA.