Definition of Protected Health Information (PHI) Under HIPAA: What Counts and What Doesn’t

Overview of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associate. It relates to a person’s past, present, or future physical or mental health, the provision of care, or payment for care, and it can identify the person or reasonably be used to identify them. PHI exists in any medium—paper, oral, or electronic (ePHI).

Covered entities include health plans, most health care providers, and health care clearinghouses. Business associates are vendors or partners that handle PHI on behalf of a covered entity. If identifiable health information is handled by either, the HIPAA Privacy Rule applies. This foundation is central to healthcare data privacy and PHI compliance.

In short: if the information ties health-related details to a person—and a covered entity or business associate holds it—it is PHI. If information is fully de-identified under HIPAA’s standards, it is not PHI.

HIPAA Privacy Rule Identifiers

HIPAA offers two de-identification pathways: the Safe Harbor method and Expert Determination. Safe Harbor requires removing specific identifiers, commonly called the “18 HIPAA Identifiers.” Expert Determination requires a qualified expert to assess and document that the risk of re-identification is very small. Both approaches aim to strip identifiable health information of linkages to a person.

The 18 HIPAA Identifiers (Safe Harbor)

• Names
• All geographic subdivisions smaller than a state (e.g., street address, city, county, ZIP code with limited exceptions)
• All elements of dates (except year) related to an individual (e.g., birth, admission, discharge, death) and ages over 89
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (e.g., finger or voice prints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code (except a permitted re-identification code)

Expert Determination

Under Expert Determination, a qualified expert uses accepted statistical or scientific methods to conclude the re-identification risk is very small. The expert documents methods and results. This route can preserve more data utility than Safe Harbor while still meeting healthcare data privacy goals.

Limited Data Sets

A Limited Data Set removes direct identifiers but may retain certain dates, city/state/ZIP, and other elements. It is still PHI and may be used or disclosed only for research, public health, or health care operations under a Data Use Agreement that limits re-identification and restricts recipients’ actions.

Exclusions from PHI

• De-identified information: Data rendered de-identified via Safe Harbor or Expert Determination is not PHI.
• FERPA Exclusion: Education records covered by FERPA—and eligible treatment records in postsecondary institutions—are not PHI under HIPAA.
• Employment records: Information a covered entity holds in its role as an employer is not PHI (even if health-related).
• Information held by non-covered entities: If a company is neither a covered entity nor a business associate, HIPAA generally does not apply, though other laws may.
• Decedents’ information after 50 years: Individually identifiable health information is no longer PHI 50 years after a person’s death.

Forms and Formats of PHI

PHI spans formats: charts and EHR extracts, claims and billing data, lab and imaging results, care plans, prescriptions, referral notes, and call recordings. It also includes photographs, videos, voicemails, and transcriptions if they can identify a person in connection with health information.

Digital traces often qualify as PHI when tied to care or payment, such as patient portal IP addresses, device IDs used to access telehealth, or appointment confirmation emails that link identity and treatment intent. Metadata attached to files (e.g., author, timestamps) can also expose identifiers.

Practical examples

• PHI: A lab result linked to a name or medical record number.
• PHI: An insurance claim with diagnosis codes and a health plan ID.
• Not PHI: Aggregate statistics with all 18 HIPAA identifiers removed.
• Becomes PHI: A symptom survey response once it includes contact details and is stored by a provider.

Compliance Requirements for PHI

PHI compliance requires a lawful basis for uses and disclosures. Common permitted purposes are treatment, payment, and health care operations. Other disclosures require patient authorization unless a specific Privacy Rule permission applies (e.g., certain public health activities). Apply the “minimum necessary” standard to limit access and sharing.

Provide a Notice of Privacy Practices; honor individual rights to access, obtain copies, request amendments, request restrictions, and receive confidential communications. Maintain records of disclosures when required, and evaluate whether more protective state privacy laws preempt HIPAA’s baseline.

Business associates and governance

Execute Business Associate Agreements before sharing PHI with vendors. Establish policies, workforce training, sanction procedures, and regular risk analyses. Keep role-based access controls and audit logs. These governance steps operationalize HIPAA Privacy Rule obligations alongside HIPAA Security Standards for ePHI.

Breach notification

If an impermissible use or disclosure occurs and risk assessment indicates compromise, notify affected individuals without unreasonable delay (and within set HIPAA timelines). Notify regulators and, when applicable, the media based on breach size. Document investigations, mitigation, and corrective actions.

Handling and Safeguarding PHI

Safeguards fall into administrative, physical, and technical categories under the HIPAA Security Standards. Your goal is to reduce risk to a reasonable and appropriate level while supporting clinical workflow.

Administrative safeguards

• Conduct a risk analysis; update it as systems or threats change.
• Adopt role-based access, minimum necessary rules, and sanction policies.
• Implement vendor management, BAAs, and due diligence for cloud services.
• Train staff on secure communications, phishing risks, and incident response.

Physical safeguards

• Control facility access; secure workstations and servers.
• Use screen privacy filters in clinical areas and waiting rooms.
• Apply device and media controls: encryption, inventory, and secure disposal.

Technical safeguards

• Enforce unique user IDs, multi-factor authentication, and automatic logoff.
• Encrypt ePHI at rest and in transit; segment networks and apply least privilege.
• Maintain audit logs, integrity controls, and real-time monitoring for anomalies.
• Use secure messaging for patient communications; avoid unencrypted attachments unless patient-directed with informed preference.

Operational tips

• De-identify data or use a Limited Data Set when full identifiers aren’t needed.
• Validate recipient identity before sharing; double-check addresses and fax numbers.
• Apply data loss prevention and approve standardized templates for disclosures.
• Document disposal: wipe, shred, or destroy media per policy.

Impact of PHI on Healthcare Practices

PHI stewardship shapes clinical operations, analytics, and trust. Strong privacy controls enhance patient confidence and participation, enabling accurate histories and better outcomes. Conversely, over-collection or careless sharing introduces risk, slows care coordination, and erodes credibility.

Operationally, clear PHI handling rules streamline referrals, telehealth, and population health programs. De-identification and Limited Data Sets allow research and quality improvement while honoring privacy. Transparent notices and consistent access workflows reduce friction and meet right-of-access expectations.

Conclusion

Understanding what counts as PHI—and what doesn’t—anchors HIPAA Privacy Rule compliance. Identify the data, apply the 18 HIPAA identifiers framework, use the minimum necessary, and align safeguards to risk. These practices protect individuals, support care delivery, and strengthen healthcare data privacy.

FAQs

What information qualifies as PHI under HIPAA?

PHI is individually identifiable health information held or transmitted by a covered entity or business associate that relates to a person’s health, care, or payment. If health details can be linked to an individual—directly or indirectly—it is PHI. De-identified data that meets HIPAA standards is not PHI.

How does HIPAA define identifiable health information?

Identifiable health information is data about health, care, or payment that identifies a person or can reasonably be used to identify them. The HIPAA Privacy Rule lists specific identifiers—such as names, addresses, dates, and device or account numbers—that, when present with health data, make the information PHI unless properly de-identified.

Are educational health records covered by HIPAA?

Generally no. Under the FERPA Exclusion, education records (and applicable student treatment records) are governed by FERPA, not HIPAA. However, when a school clinic treats non-students or operates outside FERPA-covered records, HIPAA may apply to those particular encounters.

What are the consequences of mishandling PHI?

Mishandling PHI can trigger breach notification duties, corrective actions, and significant civil monetary penalties. In egregious cases, criminal penalties may apply. Organizations may also face contractual liability, reputational harm, and operational disruption due to remediation and monitoring obligations.