Exploring the Scope of HIPAA: Types of Protected Health Information

Definition of Protected Health Information

Under HIPAA, Protected Health Information (PHI) is individually identifiable health information that relates to a person’s past, present, or future physical or mental health, the provision of health care, or payment for care—and that either directly identifies the person or could reasonably be used to do so.

PHI exists only when handled by a covered entity (health plans, health care clearinghouses, or providers conducting standard electronic transactions) or their business associates. When business associates create, receive, maintain, or transmit PHI on behalf of a covered entity, the same protections apply.

If the data can identify someone—alone or when combined with other data—it is individually identifiable health information and falls within HIPAA’s scope when held by covered entities or business associates.

Forms of Protected Health Information

PHI can be oral, paper-based, or electronic (ePHI). It includes records, communications, and media maintained or transmitted in any format across clinical, administrative, and financial systems.

Examples include clinical notes, lab results, imaging files, billing statements, claims, appointment schedules, patient portal messages, call recordings, and biometric identifiers when linked to a person. Even metadata in logs and backups can be PHI if it contains identifiers.

Common sources you might handle

• Electronic health records, patient registries, and care management platforms.
• Insurance eligibility, prior authorization, remittance, and payment data.
• Emails, texts, faxes, and voicemails containing patient details.
• Medical device data and wearables data integrated into a covered entity’s systems.

18 Identifiers Constituting PHI

HIPAA’s Safe Harbor method lists 18 identifiers that, when present with health information, make it PHI. Removing them is central to de-identification.

1. Names.
2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, and ZIP code (the initial three digits of a ZIP code may be used only if the combined area contains more than 20,000 people; otherwise use 000).
3. All elements of dates (except year) related to an individual, including birth, admission, discharge, and death; and all ages over 89 (and related date elements), which must be aggregated as 90 or older.
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate and license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographic images and any comparable images.
18. Any other unique identifying number, characteristic, or code (except permitted re-identification codes).

Exclusions from PHI

Not all health-related data falls under HIPAA. Key Protected Health Information exclusions include properly de-identified data, certain education and employment records, and health information not created, received, maintained, or transmitted by a covered entity or business associate in connection with HIPAA-covered functions.

Aggregated statistics that cannot identify a person and publicly available information lawfully made public are also outside PHI. Health information of an individual who has been deceased for more than 50 years is not PHI.

De-Identification of PHI

HIPAA recognizes two De-Identification Standards. Under Expert Determination, a qualified expert uses accepted statistical or scientific methods to determine and document that the risk of re-identification is very small.

Under Safe Harbor, you must remove the 18 identifiers listed above and ensure you have no actual knowledge that the remaining information could identify the individual. Special rules apply to ZIP codes and age over 89.

De-identified data is no longer PHI and may be used or disclosed without HIPAA authorization. A limited data set, by contrast, may retain certain elements (for example, dates and some geography) but remains PHI and requires a data use agreement.

Employment and Education Records Exclusions

Employment records maintained by a covered entity in its role as an employer are not PHI. Examples include FMLA paperwork, workplace injury logs, and pre-employment screenings held by the employer. If a health care provider treats an employee, the provider’s treatment records are PHI, but the employer’s copy kept strictly as an employment record is not.

Education records that are FERPA Records—maintained by a school or educational agency—are not PHI. School health clinic records may be PHI if the clinic is a covered entity (for example, it bills electronically), while the school’s education records remain under FERPA, not HIPAA.

Health Information Not Considered PHI

Health data you obtain outside a HIPAA context—such as information a consumer enters into a direct-to-consumer wellness app that has no connection to a covered entity or business associate—is generally not PHI. De-identified and aggregated datasets that cannot be tied to a person are also not PHI.

Publicly available health information lawfully released (for example, in news reports) is not PHI. Additionally, after 50 years from an individual’s death, their health information is no longer considered PHI.

In practice, classifying the types of Protected Health Information hinges on who holds the data, why it was collected, and whether it includes identifiers. When in doubt, map data flows to the covered entity or business associate and check for the 18 identifiers before sharing or using the data.

FAQs

What information does HIPAA protect?

HIPAA protects individually identifiable health information created, received, maintained, or transmitted by covered entities or their business associates. It spans clinical, administrative, and payment data in any form—oral, paper, or electronic—when it can identify a person or there is a reasonable basis to believe it could.

How are PHI identifiers defined under HIPAA?

HIPAA’s Safe Harbor lists 18 identifiers—including names, specific geography, most date elements, contact numbers, account and record numbers, device and vehicle identifiers, web and network identifiers, biometric identifiers, full-face photos, and other unique codes. If any of these appear with health data, the data is PHI.

What types of health information are excluded from HIPAA protection?

Protected Health Information exclusions include de-identified data, employment records kept by an employer, FERPA Records maintained by schools, information not handled by a covered entity or business associate for HIPAA-covered functions, and information about individuals deceased for more than 50 years. Aggregated, non-identifiable statistics are excluded as well.

How does de-identification affect HIPAA coverage?

Once PHI is de-identified under the Expert Determination or Safe Harbor De-Identification Standards—and you have no actual knowledge of re-identification risk—it is no longer PHI and may be used or disclosed without HIPAA authorization. A limited data set, however, remains PHI and requires a data use agreement.