HIPAA Privacy Rule: What Protected Health Information Includes, Explained

Definition of Protected Health Information

Under the HIPAA Privacy Rule, Protected Health Information (PHI) means individually identifiable health information that relates to your past, present, or future physical or mental health or condition, the provision of healthcare to you, or payment for that care. It must be created or received by a covered entity or its business associate and maintained or transmitted in any form—electronic, paper, or oral.

PHI exists only when the information identifies you or can reasonably be used to identify you. If data are properly de-identified so that you cannot be identified, they are no longer PHI. HIPAA refers to this as “individually identifiable health information.”

Key components

• Identifies you or could reasonably identify you.
• Pertains to health status, care provided, or payment details.
• Is created or received by covered entities or business associates.
• Exists across media: electronic, paper, and verbal.

Types of Identifiable Information

Identifiers fall into two broad categories. Direct identifiers single you out immediately (for example, your name or Social Security number). Indirect identifiers are data points that, when combined, can uniquely identify you (such as birth date and ZIP code).

Direct identifiers

• Names, street addresses, phone numbers, and email addresses.
• Government-issued numbers (for example, Social Security and driver’s license numbers).
• Biometric identifiers like fingerprints or voiceprints.

Indirect identifiers

• Specific dates related to care or life events (for example, admission and discharge dates).
• Geographic details below the state level (for example, city or ZIP code).
• Combinations of demographics that make re-identification likely.

The full set of HIPAA examples appears later under “Examples of PHI Identifiers.”

Forms of PHI Transmission

HIPAA protects PHI regardless of format. The rule applies equally to Electronic Health Records, paper files, and spoken information shared during care coordination.

Common forms

• Electronic: Electronic Health Records, patient portals, billing systems, claims, emails, texts, databases, backups, and audit logs.
• Paper: printed charts, encounter forms, billing statements, mailed records, and faxes.
• Oral disclosure: hallway conversations, phone calls, voicemails, telehealth sessions, and care conferences.

The same privacy principles apply across these channels: limit access to the minimum necessary, verify recipients, and secure transmissions end to end.

Excluded Records from PHI

Some information that concerns health is not PHI under HIPAA because of who holds it or how it is structured. Knowing these carve‑outs helps you decide which rule set applies.

• De-identified data: Information stripped of identifiers under HIPAA’s Safe Harbor or Expert Determination methods is not PHI.
• Education records and student treatment records protected by the Family Educational Rights and Privacy Act are excluded from HIPAA.
• Employment records held by a covered entity in its role as employer (for example, ADA accommodations or FMLA paperwork) are not PHI.
• Information about a person who has been deceased for more than 50 years is no longer PHI.
• Consumer health data created or held by entities that are not covered entities or business associates (for example, some wellness apps) is generally not PHI, even though it may be sensitive.

Legal Requirements for PHI Protection

Permissible uses and disclosures

Covered entities may use or disclose PHI without your authorization for treatment, payment, and healthcare operations. Other uses typically require your written authorization unless a specific HIPAA permission applies (for example, certain public health reporting or disclosures required by law).

Minimum necessary standard

Except for disclosures for treatment and a few other exceptions, organizations must limit PHI to the minimum necessary to accomplish the purpose. You should see role-based access, need-to-know policies, and data minimization in action.

Your rights

• Access: You can inspect or obtain copies of your records, including electronic copies of Electronic Health Records.
• Amend: You can request corrections to inaccurate or incomplete information.
• Accounting and restrictions: You can request an accounting of certain disclosures and ask for reasonable restrictions on sharing.
• Confidential communications and notice: You can request alternative contact methods and must receive a Notice of Privacy Practices.

Safeguards, business associates, and breaches

• Administrative, physical, and technical safeguards protect PHI—think policies, facility controls, encryption, access controls, and audit logging.
• Business Associate Agreements bind vendors (such as EHR providers) that create, receive, maintain, or transmit PHI on a covered entity’s behalf.
• Breach notification rules require timely notice to affected individuals and, in some cases, regulators and the media.

Role of Covered Entities

Covered entities include healthcare providers who transmit health information electronically in standard transactions, health plans, and healthcare clearinghouses. They are primarily responsible for safeguarding PHI and honoring your rights.

Business associates—such as billing services, cloud hosts, analytics firms, and Electronic Health Records vendors—must also protect PHI under their agreements. Covered Entities must ensure due diligence, sign Business Associate Agreements, and monitor compliance.

Examples of PHI Identifiers

HIPAA’s Safe Harbor lists specific identifiers that must be removed to consider data de-identified. The following examples are treated as PHI when linked to health information:

• Names.
• Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code—except the first three digits in limited high-population cases).
• All elements of dates (except year) directly related to an individual, and ages over 89 (aggregated as 90+).
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate or license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• Internet Protocol (IP) addresses.
• Biometric identifiers, including finger and voice prints.
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Conclusion

In short, the HIPAA Privacy Rule protects individually identifiable health information handled by covered entities and their business associates across electronic, paper, and oral forms. Understand what counts as PHI, note the limited exclusions, and watch for the listed identifiers—especially within Electronic Health Records—to keep privacy risks low and compliance strong.

FAQs

What qualifies as protected health information under HIPAA?

PHI is individually identifiable health information about your health status, care, or payment for care that is created or received by a covered entity or business associate and maintained or transmitted in any form—electronic, paper, or oral.

How does HIPAA define individually identifiable information?

Information is individually identifiable if it identifies you or there is a reasonable basis to believe it can be used to identify you, whether directly (for example, your name) or indirectly (for example, a combination of birth date and ZIP code).

Are employment records covered by HIPAA?

No. Employment records held by a covered entity in its role as employer are not PHI. Workplace health details may be protected by other laws, but HIPAA’s Privacy Rule does not apply to those employment records.

What types of identifiers are considered PHI?

HIPAA lists examples such as names, addresses below the state level, specific dates (except year), phone and fax numbers, email addresses, Social Security and medical record numbers, health plan beneficiary numbers, account and license numbers, vehicle and device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifying numbers or characteristics.