HIPAA Privacy Rule Requirements: Examples of Protected Health Information Your Team Handles

Definition of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate in connection with care delivery, payment, or health care operations. PHI spans all media—electronic, paper, and oral—and exists wherever you store, process, or discuss patient data.

Individually Identifiable Health Information is data that can identify a person, or for which there is a reasonable basis to believe it can identify a person. Common identifiers include a person’s name; addresses and other geographic details smaller than a state; elements of dates (for example, birth, admission, discharge, death); phone and fax numbers; email addresses; Social Security, medical record, and health plan numbers; account or certificate/license numbers; vehicle and device identifiers/serials; URLs and IP addresses; biometric identifiers (like fingerprints or voiceprints); full-face photographs; and any unique code or characteristic linked to the individual.

Who must comply

Covered Entity Compliance applies to providers, health plans, and clearinghouses. Business Associate Responsibilities extend to vendors that create, receive, maintain, or transmit PHI on a covered entity’s behalf. Both must apply the minimum necessary standard, safeguard PHI, and honor patient rights under the Privacy Rule.

Examples of Protected Health Information

Your team encounters PHI in routine workflows. The following examples show how PHI appears across functions and systems you manage:

• Registration and scheduling: full name, date of birth, address, contact details, insurance subscriber ID, and appointment dates.
• Clinical documentation: symptoms, diagnoses, medications, allergies, vital signs, care plans, and clinician notes in the EHR.
• Diagnostics: lab results, pathology reports, radiology images and DICOM metadata, and test dates.
• Care coordination: referral forms, discharge summaries, prior authorization packets, and utilization management notes.
• Billing and revenue cycle: superbills, claim forms (e.g., CMS-1500/UB-04), remittance advice, prior authorization numbers, and payment card data when linked to a patient.
• Pharmacy and therapeutics: e-prescriptions, dispense records, prior auth details, and medication therapy management notes.
• Telehealth and messaging: audio/video recordings, chat transcripts, portal messages, and attachments containing clinical content or identifiers.
• Wearables and remote monitoring: device serials, streaming vitals, alerts, and timestamps when associated with an identifiable patient.
• Operational logs: audit trails that tie user actions to a specific patient, appointment rosters, and on-call messages containing patient identifiers.

Exclusions from Protected Health Information

Not all health-related data is PHI. Key exclusions help you scope your compliance program accurately:

• De-identified information that meets HIPAA’s De-identification Standards (no reasonable basis to identify an individual).
• Education records covered by the Family Educational Rights and Privacy Act (FERPA) and certain student treatment records maintained by a school.
• Employment records held by a covered entity in its role as employer (for example, FMLA documentation, fitness-for-duty results, or workplace injury logs maintained for HR purposes).
• Consumer health data collected by apps or devices that are not acting as business associates and are not working for a covered entity.
• Information about a decedent 50 years after the date of death.
• Aggregated statistics that cannot be tied to an individual (for example, de-identified quality dashboards).

Genetic Information as PHI

Genetic data is PHI when it is individually identifiable and handled by a covered entity or business associate. This includes genetic test results, interpretations, family medical history, and notes from genetic counseling, even if there is no current diagnosis.

Under the Genetic Information Nondiscrimination Act and the HIPAA Privacy Rule, health plans cannot use or disclose genetic information for underwriting purposes. Your policies should block such uses and train staff to treat genetic data with heightened sensitivity and strict access controls.

Operational safeguards for genetic data

• Segment genetic test results in the EHR and apply role-based access.
• Use patient-friendly explanations and explicit consent workflows when disclosing to external parties.
• Scrutinize research and analytics requests for necessity, traceability, and re-identification risk.

De-identified Health Information

Data is no longer PHI when it is de-identified so that individuals cannot be identified. HIPAA recognizes two methods:

• Safe Harbor: remove specified identifiers (such as names, addresses smaller than a state, most exact dates, contact numbers, unique IDs, biometric identifiers, full-face photos, and similar) and have no actual knowledge that remaining data could identify the person.
• Expert Determination: a qualified expert documents that the risk of re-identification is very small, given techniques used and context of release.

Limited data sets

A limited data set is not fully de-identified and remains PHI. It excludes most direct identifiers but may include city, state, ZIP code, and certain dates. You may use and disclose a limited data set for research, public health, or operations under a Data Use Agreement that controls Research Data Privacy, permissible uses, and safeguards.

Programmatic guardrails

• Adopt written De-identification Standards and validation checks before release.
• Minimize data fields, apply k-anonymity or differential privacy where feasible, and monitor for linkage risks.
• Ensure recipients agree not to re-identify or combine datasets in ways that could identify individuals.

Employment and Education Records

HIPAA generally does not apply to FERPA-covered education records. Health services provided by a school to students are often regulated by FERPA, not HIPAA, while services to non-students (such as staff or community members) at a school clinic may fall under HIPAA if the clinic is a covered entity.

Employment records held by your organization in its capacity as an employer are excluded from PHI. By contrast, clinical records created by your occupational health clinic acting as a health care provider are PHI. Clarify boundaries in your policies, designate who may access which records, and educate staff on the FERPA/HIPAA divide.

Formats of Protected Health Information

PHI exists in every format your team uses. Electronic PHI (ePHI) includes EHR data, images, PDFs, messages, audit logs, and backups. Paper PHI spans intake forms, printed notes, labels, faxes, and mailed statements. Oral PHI appears in hallway conversations, handoffs, voicemails, and telehealth sessions.

Modern modalities widen the scope: mobile photos and videos, biometric scans, device serials and telemetry, secure messaging threads, and cloud-based collaboration artifacts. Treat each as PHI when linked—or linkable—to an individual.

Practical controls

• Apply role-based access, minimum necessary, and data loss prevention across systems handling PHI.
• Standardize retention and secure disposal for both ePHI and paper.
• Vet vendors for Business Associate Responsibilities and ensure contracts, encryption, and breach response are in place.

Conclusion

To meet HIPAA Privacy Rule Requirements, anchor your program to precise definitions, recognize what counts as PHI across formats, respect exclusions (like FERPA and employer-held records), handle genetic data with special care, and de-identify rigorously when sharing. These steps help you reduce risk, support patient trust, and keep daily operations compliant.

FAQs.

What information qualifies as protected health information under HIPAA?

PHI is individually identifiable health information related to a person’s health status, care, or payment for care that is created, received, maintained, or transmitted by a covered entity or business associate. It includes identifiers such as names, addresses, dates, contact details, record numbers, and images when linked to clinical or billing context.

How is genetic information treated under the HIPAA Privacy Rule?

Genetic information—such as test results, interpretations, and family history—is PHI when it can identify a person and is handled by covered entities or business associates. The Privacy Rule, aligned with the Genetic Information Nondiscrimination Act, prohibits health plans from using genetic information for underwriting and requires safeguards for access and disclosure.

What types of records are excluded from PHI?

Excluded records include de-identified data meeting HIPAA De-identification Standards, education records governed by the Family Educational Rights and Privacy Act, employment records maintained by an employer, certain consumer app data not handled for a covered entity, and information about a person 50 years after death.

How is de-identified information distinguished from PHI?

Information becomes de-identified—and no longer PHI—when it either passes the Safe Harbor test by removing specified identifiers with no residual identification risk, or an expert certifies a very small re-identification risk. A limited data set is not fully de-identified; it remains PHI but may be shared for research, public health, or operations under a Data Use Agreement.