HIPAA Privacy Rule: PHI Definition, Permitted Uses, and Requirements

The HIPAA Privacy Rule governs how protected health information (PHI) is created, used, and shared. This guide clarifies what counts as PHI, when you may use or disclose it, and the requirements you must meet to stay compliant.

PHI Definition and Scope

Individually Identifiable Health Information

PHI is individually identifiable health information (IIHI) that relates to a person’s past, present, or future physical or mental health, health care, or payment for care, and that identifies the person or could reasonably identify them. PHI may be electronic, paper, or oral.

Covered Entities and Where PHI Exists

PHI is regulated when held or transmitted by covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions) and by their business associates. If you perform functions for a covered entity involving PHI, your handling is subject to HIPAA.

What PHI Includes and Excludes

• Includes: names with medical record numbers, full-face photos with diagnoses, claim details linked to a patient, and similar data that can identify the individual.
• Excludes: de-identified data, education records covered by FERPA, and employment records held by a covered entity in its role as employer. PHI of a decedent is no longer PHI 50 years after death.

Psychotherapy Notes

Psychotherapy notes are a special subset of PHI—clinician notes documenting counseling session conversations kept separate from the medical record. They receive heightened protection and typically require individual authorization for most uses and disclosures.

Permitted Uses and Disclosures

Treatment, Payment, and Health Care Operations (TPO)

• Treatment: sharing PHI among providers to coordinate and deliver care.
• Payment: activities to obtain reimbursement, verify coverage, or determine medical necessity.
• Health care operations: quality assessment, accreditation, training, population-based activities, and similar operations.

Public Interest and Benefit Activities

Without authorization, disclosures may be permitted for specific purposes, subject to conditions:

• Required by law or to comply with court orders and subpoenas.
• Public health activities, such as reporting certain diseases and adverse events.
• Health oversight activities and audits.
• Judicial and administrative proceedings, and certain law-enforcement purposes.
• To avert a serious threat to health or safety.
• Specialized government functions (e.g., military, national security) and workers’ compensation.
• Decedent-related purposes (coroners, medical examiners, funeral directors) and organ procurement.
• Research under an Institutional Review Board (IRB) waiver, or using a limited data set with a Data Use Agreement.

Authorization and Individual Involvement

• Authorization is required for most uses not listed above, including marketing, sale of PHI, and many disclosures of psychotherapy notes.
• With the individual’s agreement or opportunity to object, you may disclose to family, friends, or others involved in care or payment, and for facility directories.

Minimum Necessary Standard

What It Requires

When using, disclosing, or requesting PHI, you must make reasonable efforts to limit it to the minimum necessary to accomplish the purpose. Apply role-based access and need-to-know controls to operationalize this standard.

Key Exceptions

• Treatment disclosures between providers.
• Disclosures to the individual who is the subject of the PHI.
• Uses or disclosures pursuant to a valid authorization.
• Disclosures to HHS for compliance investigations.
• Uses or disclosures required by law.

Practical Controls

• Define workforce roles and the PHI each role may access.
• Use data minimization in reports; mask or aggregate when detail is unnecessary.
• Standardize routine disclosures with templates, approval gates, and audits.
• When full identifiers are unnecessary, use a limited data set under a Data Use Agreement.

Required Disclosures

To the Individual

You must disclose PHI to the individual upon request under the Right of Access, including an electronic copy of ePHI when readily producible. Reasonable, cost-based copy fees are allowed; retrieval fees are not.

To the Department of Health and Human Services (HHS)

You must disclose PHI as needed for HHS investigations, reviews, or enforcement actions regarding HIPAA compliance.

Distinction from “Required by Law”

HIPAA itself requires only the two disclosures above. Other disclosures may be “required by law” (e.g., state reporting), which HIPAA permits but does not independently mandate.

De-Identification of PHI

De-Identification Methods

• Expert Determination: a qualified expert applies accepted principles to conclude the risk of re-identification is very small and documents the methods and results.
• Safe Harbor: remove 18 direct identifiers (e.g., names; elements of dates except year; geocodes smaller than a state; phone, email, SSN, MRN, account and certificate/license numbers; device and vehicle identifiers; URLs and IP addresses; biometric identifiers; full-face photos; and comparable images) and have no actual knowledge of re-identification. Ages over 89 must be grouped as 90 or older.

Limited Data Set and Data Use Agreement

A limited data set (LDS) is not fully de-identified; it may include dates and certain geographic details but excludes direct identifiers like names and contact information. You may disclose an LDS for research, public health, or health care operations only under a Data Use Agreement that prohibits re-identification or contact and limits permitted uses and recipients.

Re-Identification Codes

You may assign a code to allow re-identification by the disclosing entity if the code is not derived from the individual’s information and is not used or disclosed for other purposes.

Role of Business Associates

Who Is a Business Associate

Business associates are persons or entities that perform functions or services for a covered entity involving PHI—such as claims processing, data analysis, EHR hosting, cloud storage, or HIE services. Subcontractors that handle PHI on a business associate’s behalf are also business associates.

Business Associate Agreements (BAAs)

• Describe permitted and required uses/disclosures of PHI.
• Require safeguards aligned with the HIPAA Security Rule and the Minimum Necessary Standard.
• Mandate breach reporting, mitigation, and cooperation.
• Flow down obligations to subcontractors that create, receive, maintain, or transmit PHI.
• Address return or destruction of PHI and termination for cause.

Direct Liability

Business associates are directly liable for impermissible uses/disclosures, failure to implement safeguards, failure to provide access or accounting support to the covered entity, and failure to disclose to HHS when required.

Individual Rights under HIPAA

Right of Access

You may inspect or obtain copies of your PHI in the requested format if readily producible, generally within 30 days (with one allowable extension). Only reasonable, cost-based fees for copies may be charged.

Right to Amend

You may request an amendment to PHI in a designated record set. If denied, you are entitled to a written explanation and the ability to submit a statement of disagreement.

Right to an Accounting of Disclosures

You may receive an accounting of certain disclosures made without authorization, excluding those for treatment, payment, and health care operations, among other exceptions.

Right to Request Restrictions and Confidential Communications

You may request restrictions on uses/disclosures; covered entities need not agree except in specific cases, such as restricting disclosure to a health plan for services you paid for in full out of pocket. You may also request communications by alternative means or at alternative locations.

Notice and Complaints

You have the right to receive a Notice of Privacy Practices and to file a complaint with your provider, plan, or HHS without retaliation. Together, these rights give you meaningful control over how your PHI is used and shared.

In practice, compliance with the HIPAA Privacy Rule centers on understanding what PHI is, limiting access to the minimum necessary, documenting decisions, and honoring individual rights in a timely, consistent way.

FAQs

What information qualifies as PHI under the HIPAA Privacy Rule?

PHI is individually identifiable health information about health, care provided, or payment for care that identifies a person or could reasonably do so, when held by a covered entity or business associate. It includes demographics when linked to health data. De-identified data, FERPA education records, and employment records held by an employer are not PHI.

When can PHI be used or disclosed without individual authorization?

Without authorization, PHI may be used or disclosed for treatment, payment, and health care operations; for certain public interest and benefit activities (e.g., public health, oversight, judicial processes, law enforcement, serious threat prevention, specialized government functions, workers’ compensation); to the individual; to HHS; and as required by law. The Minimum Necessary Standard applies except for key exceptions like treatment and disclosures to the individual.

What rights do individuals have regarding their PHI under HIPAA?

Individuals can access and obtain copies of PHI, request amendments, receive an accounting of certain disclosures, request restrictions, ask for confidential communications, receive a Notice of Privacy Practices, and file complaints without retaliation.

How does the HIPAA Privacy Rule address de-identified health information?

De-identified data is not PHI and is outside the Privacy Rule. HIPAA recognizes two de-identification methods: Expert Determination and Safe Harbor (removal of 18 identifiers with no actual knowledge of re-identification). A limited data set is not de-identified and may be shared only for specific purposes under a Data Use Agreement.