Are Medical Records Considered PHI? Yes—What HIPAA Protects (and What Doesn’t)

Definition of Protected Health Information

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is Individually Identifiable Health Information that relates to a person’s past, present, or future physical or mental health, the provision of care, or payment for care, and that either directly identifies the person or could reasonably be used to identify them. PHI must be created or received by a covered entity or its business associate.

Identifiers that typically make health information “individually identifiable” include, among others:

• Names; geographic data smaller than a state; precise locations.
• All elements of dates (except year) tied to an individual; age 90+ treated as a single category.
• Phone numbers, email addresses, full-face photos and comparable images.
• Social Security, medical record, health plan, and account numbers.
• Certificate/license numbers; vehicle and device identifiers.
• Web URLs, IP addresses, biometric identifiers.
• Any other unique code, number, or characteristic that could identify a person.

If information contains any of these identifiers and meets the health-related criteria above, it is PHI.

Components of Medical Records as PHI

Medical records are a central source of PHI because they consolidate clinical, administrative, and financial data about you. When maintained by a covered entity or business associate, the following components are PHI:

Clinical content

• Problem lists, diagnoses, treatment plans, progress notes, psychotherapy note headers (full psychotherapy notes are specially protected), and discharge summaries.
• Lab results, imaging, pathology reports, vital signs, immunizations, and medication histories.
• Care coordination notes, referrals, consult letters, and patient-reported outcomes.

Administrative and financial content

• Scheduling, admission, and discharge details; encounter and claim numbers.
• Billing statements, explanation of benefits, prior authorizations, and payment histories.
• Insurance member IDs and plan information.

Metadata and identifiers

• Medical record numbers, device serial numbers tied to the patient, portal messages, and audit logs that can reasonably identify you.
• Data imported from wearables or apps when incorporated into the chart or otherwise maintained by a covered entity.

De-identified Data vs PHI

De-identified data is not PHI because it no longer contains identifiers that could reasonably identify you. HIPAA recognizes two De-identification Standards:

• Safe Harbor: remove 18 specified identifiers and have no actual knowledge that the data could identify an individual.
• Expert Determination: a qualified expert applies statistical methods to conclude the risk of re-identification is very small, documenting the methods and results.

A Limited Data Set (for research, public health, or operations) still contains some elements like city, state, ZIP, dates, and unique codes; it remains PHI and requires a data use agreement. Pseudonymized or coded data is also PHI if a re-identification key exists. If de-identified data is later linked back to an individual, it becomes PHI again.

Exceptions to PHI Coverage

Not all health-related information is PHI under HIPAA. Common exceptions include:

• Employment records held by an employer (even a healthcare employer) in its role as employer, such as FMLA paperwork or fitness-for-duty forms.
• Education records and treatment records covered by FERPA.
• Health data created or held by entities that are not covered entities or business associates (for example, many consumer health apps, life insurers, or wellness programs unaffiliated with your provider or health plan), though other laws may apply.
• De-identified datasets and aggregate statistics that cannot reasonably identify a person.
• Research records that never include PHI or are fully de-identified before a covered entity receives them.
• Information about individuals deceased for 50 years or more.

Note: Some disclosures of PHI are permitted or required (for treatment, payment, healthcare operations, certain public health and law enforcement purposes), but those are uses of PHI—not exclusions from PHI coverage.

Role of Covered Entities and Business Associates

Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates are vendors or partners that create, receive, maintain, or transmit PHI on a covered entity’s behalf. Both must meet Covered Entity Compliance obligations under the HIPAA Privacy Rule and Security Rule.

Key responsibilities include:

• Applying the minimum necessary standard and role-based access controls.
• Implementing administrative, physical, and technical safeguards, plus ongoing risk analysis and workforce training.
• Supporting patient rights: access, amendments, restrictions, confidential communications, and an accounting of disclosures.
• Executing Business Associate Agreements that define permitted uses/disclosures, required safeguards, breach reporting, subcontractor flow-downs, and termination provisions.

Business associates may use PHI only as allowed by the agreement and HIPAA; impermissible uses can trigger breach notification and penalties.

Behavioral Health and Substance Abuse Data

Behavioral Health Privacy receives heightened attention because of the sensitivity of mental health and substance use information. HIPAA gives special protection to psychotherapy notes (separate from the rest of the record) and generally requires patient authorization for most uses beyond treatment, payment, and operations.

Substance use disorder treatment records from certain programs are subject to additional federal confidentiality rules that impose stricter consent and redisclosure limitations than HIPAA in many scenarios. Many states also restrict disclosures of mental health, HIV, reproductive health, and genetic information, often requiring granular consent and data segmentation practices to limit access to only those who need it.

Influence of State Laws on PHI

HIPAA sets a national baseline for privacy, but State Health Information Laws can be more protective. When a state law is “more stringent,” it generally prevails, meaning covered entities and business associates must follow both HIPAA and the applicable state requirements.

Common state enhancements include tighter rules for sharing behavioral health or HIV data, shorter breach notification timelines, expanded patient access rights, and broader definitions of covered organizations (including certain consumer health services). If you operate in multiple states, you should map obligations jurisdiction by jurisdiction and default to the stricter rule where conflicts arise.

Conclusion

Are medical records considered PHI? Yes—when they contain Individually Identifiable Health Information created or held by a covered entity or business associate. De-identification removes data from HIPAA’s scope; exceptions are narrow and context-dependent. Robust compliance, strong Business Associate Agreements, attention to behavioral health privacy, and awareness of state-specific requirements together form an effective HIPAA compliance program.

FAQs

What information qualifies as PHI in medical records?

Any health information about your condition, care, or payment that can identify you—directly or indirectly—qualifies as PHI when held by a covered entity or its business associate. That includes clinical notes, lab results, images, billing details, and identifiers like names, contact information, medical record numbers, insurance IDs, and other unique codes tied to you.

How does HIPAA define de-identified health data?

De-identified data is information that no longer identifies you and cannot reasonably be used to do so. HIPAA permits two methods: Safe Harbor (removal of 18 identifiers with no actual knowledge of re-identification risk) and Expert Determination (a qualified expert documents a very small risk of re-identification). De-identified data is not PHI; a Limited Data Set remains PHI.

Are employment health records considered PHI?

Employment records held by an employer in its role as employer are not PHI under HIPAA—even if the employer is a healthcare provider. Examples include pre-employment physicals kept in HR files, FMLA certifications, and workers’ compensation fitness-for-duty forms. Other privacy laws may still apply.

What roles do business associates play in PHI protection?

Business associates handle PHI for covered entities—think billing vendors, cloud hosts, analytics firms, or telehealth platforms. They must follow the HIPAA Privacy and Security Rules as set forth in Business Associate Agreements, implement safeguards, limit uses to what the agreement permits, report breaches, and ensure subcontractors protect PHI to the same standard.