Decoding Protected Health Information (PHI) Under HIPAA: A Comprehensive Guide

Protected Health Information sits at the heart of the HIPAA Privacy Rule. If you handle patient data in any capacity, you need a precise understanding of what qualifies as PHI, who the law covers, and how to safeguard it without slowing care.

This comprehensive guide explains the definition of PHI, how the Privacy Rule operates, what counts as individually identifiable health information, and the HIPAA compliance steps you can take to protect data and reduce regulatory risk.

Definition of Protected Health Information

What PHI means under HIPAA

Protected Health Information is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate, in any form (paper, oral, or electronic). It relates to a person’s past, present, or future physical or mental health or condition, the provision of healthcare, or payment for care, and it either directly identifies the person or could reasonably be used to identify them.

When similar data is not PHI

• Data that has been properly de-identified so individuals cannot be identified is not PHI.
• Employment records held by a covered entity in its role as employer are not PHI.
• Student education records protected by FERPA are not PHI.
• Consumer health data collected by apps or devices that are not acting on behalf of a covered entity or business associate typically falls outside HIPAA, though other laws may apply.

HIPAA Privacy Rule Overview

Purpose and scope

The HIPAA Privacy Rule sets national standards for how covered entities and their business associates use and disclose PHI. It balances patient privacy with the flow of information needed to deliver care, ensure payment, and manage healthcare operations.

Key individual rights

• Access: You must provide individuals with access to inspect or obtain copies of their PHI.
• Amendment: Individuals can request corrections to their records.
• Accounting of disclosures: People can see certain non-routine disclosures of their PHI.
• Restrictions and confidential communications: Patients may request limits or alternate contact methods.
• Notice of Privacy Practices: You must explain how PHI is used and shared.

Permitted uses and disclosures

Without authorization, PHI may be used or disclosed for treatment, payment, and healthcare operations (TPO). Outside TPO, uses require patient authorization unless a specific Privacy Rule permission or requirement applies. The “minimum necessary” standard limits non-treatment uses to the least PHI needed to accomplish the purpose.

Types of Information Classified as PHI

Common clinical and administrative data

PHI spans clinical notes, diagnoses, lab results, images, billing details, and insurance information, as well as electronic PHI (ePHI) stored in EHRs, portals, and cloud tools.

The 18 identifiers

Information is PHI when it includes any of these identifiers together with health-related details:

• Names
• Geographic subdivisions smaller than a state
• All elements of dates (except year) related to an individual, including birth, admission, discharge, death, and ages over 89
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (finger, voice prints, etc.)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code

De-identification pathways

Data is no longer PHI if it is de-identified via safe harbor (removing all 18 identifiers) or expert determination (a qualified expert determines re-identification risk is very small and documents methods and results).

Covered Entities and Business Associates

Covered entities

• Healthcare providers who transmit standard transactions electronically (e.g., claims, eligibility checks)
• Health plans (insurers, HMOs, employer-sponsored group health plans)
• Healthcare clearinghouses that process nonstandard health information into standard formats

If you are a covered entity, you are directly responsible for HIPAA Privacy and Security Rules, including issuing a Notice of Privacy Practices and honoring patient rights.

Business associates

A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity (or another business associate). Examples include EHR vendors, billing services, cloud providers, consultants, law firms, and third-party administrators.

You must execute a Business Associate Agreement (BAA) that sets permitted uses, safeguards, breach reporting duties, and subcontractor requirements. Subcontractors that handle PHI are also business associates and must meet the same obligations.

Special structures

• Hybrid entities can designate healthcare components subject to HIPAA.
• Organized Health Care Arrangements (OHCAs) allow participants to share PHI for joint operations while maintaining compliance.

Safeguards for PHI Protection

Administrative safeguards

• Enterprise risk analysis and ongoing risk management
• Policies and procedures covering access, minimum necessary, and sanctions
• Workforce training, awareness, and role-based access control
• Vendor due diligence and BAAs for every business associate
• Contingency planning: backups, disaster recovery, and emergency operations
• Incident response, breach investigation, and documentation

Physical safeguards

• Facility access controls and visitor management
• Workstation security and privacy screens
• Device and media controls, secure storage, and verified disposal (shredding, wiping)
• Environmental protections for on-premises servers and networking gear

Technical safeguards

• Unique user IDs, strong authentication, and multi-factor authentication
• Automatic logoff and session timeouts
• Encryption in transit and at rest for ePHI
• Audit controls with centralized logging and monitoring
• Integrity controls and change management
• Transmission security for email, APIs, and interfaces

Practical security enhancers

• Data minimization and segmentation to reduce exposure
• Data loss prevention (DLP) and endpoint protection
• Regular patching, vulnerability scanning, and penetration testing
• Secure messaging and approved collaboration tools for PHI

Limitations and Exceptions Under HIPAA

Permitted disclosures without authorization

• Required by law, including reporting certain injuries or diseases
• Public health activities and health oversight
• Judicial and administrative proceedings, and certain law enforcement purposes
• To avert a serious threat to health or safety
• Organ, eye, and tissue donation and transplantation
• Workers’ compensation programs as authorized by law
• Facility directories and involvement in care when the patient has the opportunity to agree or object

When PHI rules don’t apply

• De-identified data and limited data sets (with a Data Use Agreement)
• Employment records held by a covered entity in its role as employer
• FERPA-protected education records
• Information collected by non-covered apps or consumer services not acting for a covered entity or business associate
• PHI of individuals deceased for more than 50 years

Minimum necessary and incidental disclosures

Outside treatment, you must limit uses and disclosures to the minimum necessary. Incidental disclosures are permitted if you implement reasonable safeguards and they occur as a byproduct of an otherwise permitted use.

Interaction with state law

HIPAA generally preempts conflicting state laws, but more stringent state privacy or confidentiality rules (for example, certain mental health, substance use, or genetic information protections) take precedence. You should map these requirements into your compliance program.

Compliance and Enforcement Measures

Building a HIPAA compliance program

• Governance: appoint a privacy officer and a security officer
• Documented policies, procedures, and training with attestations
• Risk analysis, remediation plans, and periodic evaluations
• Business associate management: inventories, BAAs, and monitoring
• Access reviews, audit logging, and continuous monitoring
• Documentation retention for at least six years

Breach Notification Rule essentials

• Assess breaches using a four-factor risk assessment (nature of PHI, unauthorized person, whether PHI was actually acquired/viewed, and mitigation)
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery
• Notify HHS and, for incidents affecting 500 or more individuals in a state or jurisdiction, prominent media outlets
• Maintain a breach log for incidents under 500 and report them annually to HHS

Enforcement and penalties

The HHS Office for Civil Rights enforces HIPAA through investigations, audits, and resolution agreements that may include corrective action plans and civil monetary penalties. Penalties are tiered based on culpability and can reach significant amounts, with annual caps adjusted for inflation. The Department of Justice may pursue criminal penalties for knowingly obtaining or disclosing PHI in violation of HIPAA.

Recognized security practices and continuous improvement

Adopting recognized security practices—such as NIST-based controls or the 405(d) Health Industry Cybersecurity Practices—can reduce enforcement risk and strengthen resilience. Measure progress with repeatable assessments, track remediation to closure, and test incident response at least annually.

Conclusion

By understanding what counts as PHI, who HIPAA covers, where exceptions apply, and which safeguards matter most, you can protect patient privacy while keeping care efficient. Treat HIPAA compliance as an ongoing program, not a one-time project, and align policies, technology, and training to the HIPAA Privacy Rule’s intent.

FAQs

What information is considered PHI under HIPAA?

PHI is individually identifiable health information related to a person’s health, care, or payment that is created, received, maintained, or transmitted by a covered entity or business associate. It includes clinical data and any of the 18 identifiers (such as names, detailed dates, contact numbers, MRNs, full-face photos, device IDs, IP addresses) when linked to health information.

How does HIPAA protect patient privacy?

The HIPAA Privacy Rule limits how covered entities and business associates use and disclose PHI, grants individuals rights (access, amendment, accounting, restrictions), and requires the minimum necessary standard. The Security Rule adds administrative, physical, and technical safeguards for ePHI, and the Breach Notification Rule mandates timely notice after certain incidents.

Who is considered a covered entity under HIPAA?

Covered entities include healthcare providers that conduct standard electronic transactions, health plans, and healthcare clearinghouses. Vendors and service providers that handle PHI for them are business associates and must sign Business Associate Agreements and implement appropriate PHI safeguards.

What are the exceptions to PHI under HIPAA?

Exceptions include properly de-identified data, limited data sets under a Data Use Agreement, employment records held by a covered entity as employer, FERPA-covered education records, and PHI of individuals deceased for more than 50 years. The Privacy Rule also permits certain disclosures without authorization, such as for public health, health oversight, and when required by law.