HIPAA PHI Definition: What Counts as Protected Health Information (Examples and the 18 Identifiers)

Overview of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information governed by the HIPAA Privacy Rule. In plain terms, the HIPAA PHI definition covers any health-related data that can reasonably identify you and is created, received, maintained, or transmitted by a covered entity or its business associate, whether electronic, paper, or oral.

PHI resides in a Designated Record Set (DRS)—the medical and billing records used to make decisions about you, plus health plan enrollment, payment, and claims records. If information in that DRS relates to your past, present, or future physical or mental health, your care, or payment for care, and it can identify you, it is PHI.

Electronic PHI (ePHI) flows through modern Health Information Technology systems—EHRs, patient portals, telehealth platforms, and health plan apps. Regardless of format, the same privacy and security requirements apply, including use and disclosure limits, minimum necessary standards, and safeguards.

What makes information “individually identifiable”?

Information is identifying when it includes direct identifiers (like your name) or when details about you could allow someone to figure out who you are. HIPAA codifies this risk through 18 specific identifiers and De-identification Standards that remove those identifiers or prove minimal re-identification risk.

The 18 HIPAA Identifiers

Under HIPAA’s safe harbor De-identification Standards, removing the following identifiers from health information helps ensure it is no longer PHI. These are the 18 identifiers:

1. Names.
2. Geographic subdivisions smaller than a state (for example, street address, city, county, precinct, ZIP code—subject to the de-identification rules for limited ZIP information).
3. All elements of dates (except year) directly related to an individual, including birth date, admission, discharge, and death dates; ages over 89 and related elements are aggregated into a single 90+ category.
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers.
14. Web Universal Resource Locators (URLs).
15. Internet Protocol (IP) address numbers.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographic images and any comparable images.
18. Any other unique identifying number, characteristic, or code (other than a permitted re-identification code or Patient Identifier Codes used internally in compliance with HIPAA).

Examples of PHI in Healthcare

Clinical and care delivery

• Progress notes that include your name, medical record number, and diagnoses.
• Radiology images with embedded patient demographics or full-face photos.
• Care management spreadsheets with dates of service, phone numbers, and conditions.

Billing and health plan operations

• Claims files containing subscriber IDs, account numbers, and procedure codes tied to you.
• Explanation of Benefits (EOB) documents listing your name, dates, and amounts paid.
• Prior authorization records with your provider, diagnosis, and plan beneficiary number.

Digital health and Health Information Technology

• Patient portal messages with email addresses and treatment details.
• Telehealth recordings that include your voice, image, or identifiers.
• Wearable or app data linked to your account or other identifiers.

Research and quality improvement

• Study datasets that retain dates, ZIP codes, or other identifiers.
• Quality dashboards showing patient-level outcomes with medical record numbers.

If these data are de-identified under HIPAA’s De-identification Standards (safe harbor or expert determination), they are no longer PHI and can be used more broadly, subject to other applicable laws and ethics rules.

Importance of PHI in Compliance

Protecting PHI is central to HIPAA compliance. The HIPAA Privacy Rule governs permissible uses and disclosures, while the Security Rule requires administrative, physical, and technical safeguards for ePHI. Compliance Enforcement by regulators focuses on whether you applied the minimum necessary standard, managed risk, and maintained appropriate documentation.

Strong PHI governance reduces legal exposure, supports patient trust, and enables responsible data sharing for care coordination and analytics. It also positions your organization to respond effectively to a Data Breach Notification event by containing impact, meeting required timelines, and demonstrating due diligence.

Designated Record Set and patient rights

Because PHI is anchored to the Designated Record Set, your policies should clearly define which systems and repositories are in scope. Accurate scoping ensures timely patient access, amendment processes, and accounting of disclosures, and it sharpens your technical controls and audit coverage.

Handling and Protecting PHI

Administrative safeguards

• Apply role-based access and the minimum necessary standard to limit who sees PHI.
• Train your workforce regularly on the HIPAA Privacy Rule, incident reporting, and phishing awareness.
• Execute and manage Business Associate Agreements to extend protections to vendors.
• Maintain risk analyses, policies, and audit-ready documentation for Compliance Enforcement.

Technical safeguards

• Encrypt ePHI in transit and at rest; enforce multi-factor authentication and strong identity management.
• Use data loss prevention, intrusion detection, and audit logging with continuous monitoring.
• Segregate environments, apply least privilege, and routinely patch systems and apps.
• Use approved secure messaging and telehealth platforms; avoid unvetted tools.

Physical and operational safeguards

• Secure facilities and devices; control media, workstations, and removable storage.
• Implement retention schedules and verifiable destruction of paper and electronic media.
• Standardize incident response playbooks for investigation and Data Breach Notification.
• When feasible, use De-identification Standards or limited data sets to reduce privacy risk.

Exceptions and Special Cases in PHI

• De-identified data: Not PHI when identifiers are removed via safe harbor or an expert determines minimal re-identification risk.
• Limited Data Set: May include city, state, ZIP, and dates but excludes direct identifiers; use requires a data use agreement.
• Education and employment records: Education records covered by FERPA and employment records held by a covered entity in its employer role are not PHI.
• Decedents: PHI protections persist for 50 years after death; beyond that, information is no longer PHI under HIPAA.
• Psychotherapy notes: PHI with heightened protections and special authorization requirements.
• Permitted disclosures: Certain public health, oversight, law enforcement, and as-required-by-law disclosures are allowed without authorization, subject to minimum necessary and documentation rules.
• Re-identification codes: Patient Identifier Codes used internally are allowed if they are not derived from the identifiers and are kept confidential.

Impact of PHI on Patient Privacy

PHI protections preserve confidentiality, support dignity, and strengthen trust in care relationships. When you handle PHI responsibly, people are more willing to share complete information, improving diagnosis, care coordination, and outcomes.

Conversely, weak controls enable re-identification, profiling, or identity theft. Embedding privacy by design—data minimization, robust access controls, de-identification where feasible, and transparent notices—reduces risk while enabling responsible innovation in Health Information Technology.

In short, knowing what counts as PHI, how the 18 identifiers work, and how to apply HIPAA’s De-identification Standards allows you to protect privacy, meet obligations, and use data ethically and effectively.

FAQs.

What information is considered PHI under HIPAA?

PHI is individually identifiable health information in a Designated Record Set that relates to your health status, care, or payment and can identify you. It includes paper, electronic, and oral information maintained or transmitted by covered entities and their business associates under the HIPAA Privacy Rule.

How do the 18 identifiers protect patient privacy?

The 18 identifiers are specific data elements most likely to reveal your identity. Removing them under HIPAA’s De-identification Standards (or proving minimal re-identification risk via expert determination) transforms the data into de-identified information, enabling wider use while lowering privacy risk.

Can demographic data be classified as PHI?

Yes—demographics become PHI when they can identify you and relate to your health care or payment, or when they appear in a Designated Record Set. For example, addresses, smaller-than-state geography, and ages over 89 are HIPAA identifiers; when linked to health details, they are PHI. Aggregated statistics without identifiers are not PHI.

What are the consequences of PHI violations?

Consequences can include regulatory investigations and Compliance Enforcement actions, civil monetary penalties, corrective action plans, mandated training and monitoring, and required Data Breach Notification to affected individuals (and others as applicable). Organizations may also face contractual, reputational, and operational impacts.