HIPAA Privacy Rule: What Counts as Protected Health Information (PHI)

Definition of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information that relates to your past, present, or future physical or mental health, the healthcare you receive, or the payment for that care. It is PHI when it is created, received, maintained, or transmitted by covered entities or their business associates in any form—electronic, paper, or oral.

PHI exists wherever identifying details and health data meet. If data can be linked to you and reveals something about your condition, treatment, or billing, it is PHI under the HIPAA Privacy Rule. This includes Physical and Mental Health Data as well as Healthcare Provision Records and Payment Information.

Types of Identifiers Included in PHI

The following identifiers can make health information “individually identifiable” and therefore PHI (often referenced in de-identification rules):

• Names.
• Geographic subdivisions smaller than a state (e.g., street address, city, county, ZIP code).
• All elements of dates (except year) tied to an individual (e.g., birth, admission, discharge, death); ages 90+ are treated specially for re-identification risk.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP address numbers.
• Biometric identifiers (e.g., fingerprints, voiceprints, retinal or iris scans).
• Full-face photographic images and comparable images.
• Any other unique identifying number, characteristic, or code.

When any of these appear alongside health details—diagnoses, medications, lab values, or care notes—the result is PHI. Examples include Health Plan Beneficiary Numbers next to claim data or Biometric Identifiers attached to patient monitoring records.

Coverage Scope of the HIPAA Privacy Rule

The HIPAA Privacy Rule applies to covered entities—health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions—and to their business associates that handle PHI on their behalf. If you create, access, store, transmit, or process PHI for a covered entity, you are likely within scope.

PHI protected by HIPAA spans electronic systems (EHRs, patient portals, billing platforms), paper files, and verbal exchanges. By contrast, health data held by organizations that are neither covered entities nor acting as business associates may fall outside HIPAA, even though other privacy laws can still apply.

Exclusions from PHI

Not all health-related data is PHI. Key exclusions include:

• De-identified information—data with no reasonable basis to identify an individual, achieved through expert determination or by removing specified identifiers (often called the “safe harbor” method).
• Employment records held by a covered entity in its role as employer (e.g., workplace leave or fitness-for-duty files).
• Education records and certain student treatment records governed by FERPA.
• Health information about a person deceased for more than 50 years.

Note: A “limited data set” is still PHI (not fully de-identified) and may be used only for specific purposes under a data use agreement.

Importance of PHI Protection

Protecting PHI safeguards patient trust, reduces the risk of identity theft and medical fraud, and supports safe, coordinated care. Strong privacy practices also prevent costly breaches and regulatory penalties while preserving your organization’s reputation and operational continuity.

For patients, robust privacy controls provide confidence to share sensitive details—essential for accurate diagnosis, effective treatment, and timely payment processing. For organizations, disciplined handling of Individually Identifiable Health Information is foundational to ethical care.

Compliance Requirements for Covered Entities

To comply with the HIPAA Privacy Rule, covered entities should implement the following:

• Governance and policies: Adopt written privacy policies, designate a privacy official, and maintain records of uses/disclosures.
• Minimum necessary: Limit PHI access and disclosures to the least amount needed for the task.
• Individual rights: Provide a Notice of Privacy Practices; enable rights to access, obtain copies, request amendments, request restrictions, and receive an accounting of disclosures; honor reasonable requests for confidential communications.
• Authorizations: Obtain valid patient authorization for uses/disclosures not otherwise permitted or required by HIPAA.
• Breach response: Maintain incident response procedures and issue breach notifications when required.
• Business associate oversight: Execute and manage Business Associate Agreements for vendors handling PHI.
• Workforce management: Train staff, apply role-based access, and enforce sanctions for violations.
• Security safeguards: Conduct risk analyses and implement administrative, physical, and technical safeguards (e.g., encryption, audit logs, secure transmission) for electronic PHI.

Common Examples of PHI

• Clinic notes linking a patient’s name to diagnoses, medications, or treatment plans.
• Laboratory results associated with a medical record number or date of service.
• Claims, authorizations, and explanations of benefits containing Payment Information and Health Plan Beneficiary Numbers.
• Imaging files (e.g., X-rays, MRIs) paired with identifying metadata or full-face images.
• Prescription histories tied to a patient profile in a pharmacy system.
• Appointment schedules listing patient names, phone numbers, and visit reasons.
• Portal messages and call recordings that discuss symptoms, care instructions, or billing details.
• Device and app data (e.g., remote monitoring feeds) when maintained for a covered entity and linked to the individual.

Conclusion

Under the HIPAA Privacy Rule, PHI is any Individually Identifiable Health Information connected to health status, care, or payment and handled by covered entities or their business associates. Knowing which identifiers create PHI, what is excluded, and how compliance works helps you protect patients, meet obligations, and reduce risk.

FAQs

What information is considered Protected Health Information under HIPAA?

PHI is identifiable data about your physical or mental health, the healthcare you receive, or the payment for that care, when held or transmitted by a covered entity or its business associate. If health details appear with identifiers such as a name, medical record number, or IP address tied to a patient portal, that information is PHI.

How does the HIPAA Privacy Rule protect PHI?

The Privacy Rule limits how PHI may be used or disclosed, requires the minimum necessary standard, grants patient rights (access, amendments, restrictions, accounting of disclosures), mandates notices and authorizations where needed, and works alongside security safeguards and breach notification duties to reduce unauthorized access and misuse.

Are employment records included in PHI protections?

No. Employment records maintained by a covered entity in its role as employer are not PHI, even if they contain health information. However, the same individual’s medical chart held by the provider for treatment and billing purposes is PHI and remains protected.

What types of identifiers are excluded from PHI?

PHI itself is defined by the presence of identifying details. Information becomes “not PHI” when it is de-identified—meaning there is no reasonable way to identify the individual. Under the safe harbor approach, this requires removing specific direct identifiers (for example, names, full dates except year, contact details, account numbers, Health Plan Beneficiary Numbers, device and vehicle identifiers, Biometric Identifiers, full-face photos, IP addresses, and similar unique codes) and ensuring no residual re-identification risk remains.