HIPAA PHI Definition: What Counts as Protected Health Information—and What Doesn’t

Overview of Protected Health Information

Under the HIPAA PHI definition, Protected Health Information is Individually Identifiable Health Information that a Covered Entity or its Business Associates create, receive, maintain, or transmit. PHI can exist in any form—electronic (ePHI), paper, or oral—and must both identify a person (directly or by reasonable inference) and relate to health, care, or Payment Information.

What PHI includes

• Information about an individual’s past, present, or future physical or mental health condition.
• Details about the provision of health care, such as diagnoses, medications, clinical notes, or test results.
• Payment Information for health care, including claim numbers, billing records, policy/member IDs, and explanations of benefits when linked to a person.

If data contains health content but cannot identify a person—or is not handled by a HIPAA-regulated entity—it is not PHI. PHI status depends on both identifiability and context.

Identifiable Health Information

Individually Identifiable Health Information (IIHI) is any health-related data that identifies an individual or could reasonably be used to identify them. When IIHI is held or processed by Covered Entities or Business Associates, it becomes PHI and is protected by HIPAA rules.

From IIHI to PHI: the trigger

Identification can be direct (for example, a name or Social Security number) or indirect (a combination like ZIP code, birth date, and gender). Common examples that qualify as PHI when handled by regulated entities include lab results with a patient name, appointment schedules tied to a medical record number, insurer member IDs attached to services, and recorded calls discussing a diagnosis.

Exclusions from PHI

Some information is explicitly outside HIPAA’s scope, even if sensitive. Key exclusions include:

• Education records governed by the Family Educational Rights and Privacy Act (FERPA) and certain student treatment records at postsecondary institutions.
• The Employment Records Exclusion: employee health information maintained by an organization in its role as employer (e.g., FMLA forms, drug-test results in an HR file).
• De-identified health information that meets HIPAA’s De-Identification Standards.
• Information about a person who has been deceased for more than 50 years.
• Consumer-generated health data in apps or devices when the app is not acting on behalf of a Covered Entity (HIPAA may not apply, though other laws can).

Remember, the same data can be PHI in one context and not in another. A vaccination record in a clinic’s EHR is PHI; the same information saved in a personal notebook is not.

De-Identified Health Data

De-identified data is not PHI and is outside HIPAA’s privacy restrictions. HIPAA recognizes two De-Identification Standards: Safe Harbor and Expert Determination.

Safe Harbor: remove these 18 identifiers

• Names.
• Geographic subdivisions smaller than a state (e.g., street address, city, county, ZIP code), with limited ZIP exceptions.
• All elements of dates (except year) related to an individual (e.g., birth, admission, discharge, death), and ages over 89 unless aggregated as 90+.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (e.g., finger or voice prints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Expert Determination

A qualified expert applies accepted statistical or scientific principles to conclude that re-identification risk is very small and documents the methods and results. This method can preserve more data utility when Safe Harbor would remove too much.

Limited Data Set (LDS)

An LDS removes direct identifiers but may retain dates and certain geographic details (e.g., city, state, ZIP). It remains PHI and can be used or disclosed for research, public health, or health care operations under a Data Use Agreement that restricts re-identification and further disclosure.

HIPAA Compliance Requirements

Covered Entities and Business Associates must implement layered privacy and security controls to protect PHI across its lifecycle.

Privacy governance and practices

• Appoint privacy and security officers; adopt written policies; train the workforce regularly.
• Apply the minimum necessary standard to uses, disclosures, and requests.
• Honor individual rights: access, copies, corrections (amendments), and an accounting of certain disclosures.
• Execute Business Associate Agreements (BAAs) before sharing PHI with vendors.

Security Rule safeguards

• Administrative: risk analysis, risk management, workforce training, contingency planning.
• Physical: facility access controls, device/media controls, secure workstations.
• Technical: unique user IDs, role-based access, encryption (addressable), audit controls, integrity and transmission security.

Breach Notification

• Investigate suspected incidents promptly and assess the probability of compromise.
• Notify affected individuals without unreasonable delay and within required timelines; notify regulators and, when applicable, the media.
• Document incidents, decisions, and corrective actions.

Covered Entities and Business Associates

Covered Entities include health plans (insurers, HMOs, employer group health plans), health care clearinghouses, and health care providers that conduct standard electronic transactions (such as claims or eligibility checks). They are directly accountable for safeguarding PHI.

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI for a Covered Entity—for example, billing companies, EHR or cloud service providers, analytics firms, and pharmacy benefit managers. Subcontractors that handle PHI are also Business Associates and must comply with HIPAA and the terms of the BAA.

Importance of PHI Protection

Protecting PHI preserves patient trust, ensures continuity of care, and reduces the risk of costly breaches and enforcement actions. Strong controls also improve data quality and interoperability by clarifying who can access what, and under which conditions.

Effective programs don’t just “lock down” data—they enable compliant sharing for treatment, payment, and operations, and support de-identified analytics that advance research and public health without exposing individuals.

Conclusion

In short, PHI is IIHI about health, care, or Payment Information that is handled by HIPAA-regulated entities. Education records under FERPA, employment records, and properly de-identified data fall outside PHI. Covered Entities and Business Associates must implement robust privacy, security, and breach-notification controls to protect individuals and uphold the intent of HIPAA.

FAQs

What types of information are included in PHI?

PHI includes any data that identifies a person and relates to their health status, the provision of health care, or payment for that care. Examples are medical record numbers, diagnoses, lab results, prescriptions, appointment schedules, imaging, claims data, insurer member IDs, and billing records—so long as the information can identify the individual.

What kinds of records are excluded from PHI?

Education records and certain student treatment records governed by the Family Educational Rights and Privacy Act, employment records kept by an organization in its role as employer (Employment Records Exclusion), data about individuals deceased more than 50 years, and properly de-identified data are not PHI. Consumer app data not created for or received by a Covered Entity also may fall outside HIPAA.

How is de-identified data treated under HIPAA?

Once health information is de-identified under HIPAA’s De-Identification Standards—via Safe Harbor removal of 18 identifiers or Expert Determination—it is no longer PHI and HIPAA’s privacy restrictions no longer apply. A Limited Data Set removes direct identifiers but remains PHI and requires a Data Use Agreement for specified purposes.

Who must comply with PHI regulations?

Covered Entities—health plans, health care clearinghouses, and qualifying health care providers—and their Business Associates must comply with HIPAA’s Privacy, Security, and Breach Notification Rules. Subcontractors that handle PHI on behalf of a Business Associate are likewise obligated to meet HIPAA requirements.