HIPAA Protected Health Information (PHI) Definition: What It Is, What Counts, and Examples

Definition of PHI

What PHI means under HIPAA

Protected Health Information (PHI) is Individually Identifiable Health Information that a covered entity or its business associate creates, receives, maintains, or transmits. It relates to an individual’s past, present, or future physical or mental health or condition, the provision of healthcare, or payment for healthcare—and it identifies the person or could reasonably be used to identify them.

Who is subject to HIPAA

Covered entities include health plans, most healthcare providers who conduct standard electronic transactions, and healthcare clearinghouses. Business associates are vendors or partners that handle PHI on behalf of a covered entity. If neither category applies, the information generally is not PHI, even if it concerns health.

What counts as “identifiable”

Identifiability includes obvious details like a name as well as Demographic Data or other elements that, alone or combined, can reveal identity. When these details are present in health information held by a covered entity or business associate, the information is PHI.

Use and disclosure baseline

HIPAA permits PHI to be used or disclosed without written permission for treatment, payment, and healthcare operations. Uses outside these purposes typically require patient permission that meets HIPAA Authorization Requirements, and disclosures must follow the minimum necessary standard.

Forms of PHI

Electronic PHI (ePHI)

PHI stored or transmitted electronically—such as in EHR systems, patient portals, claims files, emails, texts, apps acting on behalf of providers, and backups—is ePHI and must meet the HIPAA Security Rule’s safeguards.

Paper and image records

Printed intake forms, referral letters, discharge summaries, pharmacy labels, radiology films, and mailed billing statements are PHI when they contain identifiable health details.

Oral communications

Spoken information about a patient’s condition, treatment, or payment status—like hallway conversations, voicemails, and phone updates to family—can be PHI and must be handled to limit unintended disclosures.

Metadata and technical traces

Audit logs, device or app metadata, and system identifiers can constitute PHI when they link to a person’s health information. These are often overlooked yet critical to protect.

Exclusions from PHI

When health information is not PHI

• De-identified information meeting HIPAA De-identification Standards (details below).
• Employment records a covered entity maintains in its role as employer (separate from its group health plan).
• Education records and certain treatment records subject to FERPA, not HIPAA.
• Information about individuals deceased for more than 50 years.
• Consumer-held health information that is not created, received, maintained, or transmitted by a covered entity or business associate (for example, data kept solely in a personal app not acting for a provider or health plan).

Note: A limited data set removes many direct identifiers but remains PHI and may be shared only for specific purposes under a data use agreement.

Examples of PHI

• A clinic note linking a diagnosis to a patient name and date of birth.
• An insurance claim with member ID, procedure codes, and service dates.
• Lab results tied to a medical record number or barcode traceable to a person.
• Appointment reminders that include a patient’s name plus the clinic and service date.
• A patient portal message thread containing symptoms and medication lists.
• Imaging files (e.g., DICOM) with embedded demographics or device identifiers.
• Device serial numbers recorded in a chart for implanted or monitored equipment.
• IP address and login timestamp associated with a specific patient’s portal account.

18 Identifiers of PHI

HIPAA’s Safe Harbor lists Unique Identifiers under HIPAA that render health information identifiable. If any of these are present and the information is held by a covered entity or business associate, it is PHI:

1. Names.
2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, and ZIP code (except the initial three digits in certain cases where the combined area has more than 20,000 people; otherwise the first three digits must be 000).
3. All elements of dates (except year) directly related to an individual, including birth date, admission, discharge, death, and exact ages; ages over 89 must be aggregated as “age 90 or older.”
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate or license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code.

De-identified Information

Two approved methods

• Safe Harbor: Remove all 18 identifiers and have no actual knowledge that the remaining information could identify an individual.
• Expert Determination: A qualified expert applies accepted statistical and scientific principles to determine and document that the risk of re-identification is very small.

Key considerations

De-identification is context-specific. Small cell sizes, rare conditions, or detailed locations can raise re-identification risk even after removing direct identifiers. Codes used to re-link de-identified data must not be derived from personal information and cannot be used for other purposes without authorization.

Employment and Education Records Exclusions

Employer health information

Employment records held by an employer—such as FMLA documentation, drug test results, ADA accommodation files, or fit-for-duty notes—are not PHI when maintained in the employer role. However, information within a group health plan (a covered entity) is PHI and must be segregated from general HR files. Employers may receive only limited, necessary information from the plan and must protect it.

Education and treatment records under FERPA

Student education records are governed by FERPA, not HIPAA. This includes health and immunization records maintained by a school for K–12 students and most university student health clinic records when they qualify as education or treatment records. FERPA Compliance requires appropriate privacy protections, but these records are not PHI under HIPAA.

Summary

In practice, PHI is any identifiable health information handled by covered entities or their business associates, across electronic, paper, and oral forms. The 18 identifiers define what makes information identifiable; removing them (or applying expert methods) can de-identify data. Employment and FERPA-covered education records sit outside HIPAA, while most other identifiable health data in the healthcare system is PHI.

FAQs

What constitutes Protected Health Information under HIPAA?

PHI is Individually Identifiable Health Information that relates to a person’s health, care, or payment and that is created, received, maintained, or transmitted by a covered entity or business associate. If the information can identify the person—through names, Demographic Data, or other Unique Identifiers under HIPAA—it is PHI.

How does HIPAA define de-identified information?

De-identified information is health data that cannot reasonably identify an individual. HIPAA recognizes two paths: remove the 18 identifiers with no actual knowledge of re-identification risk (Safe Harbor) or have a qualified expert document that the re-identification risk is very small (Expert Determination), consistent with HIPAA’s De-identification Standards.

Are employment health records covered by HIPAA?

Generally no. Employment records that an employer keeps in its role as employer—such as leave certifications or fitness-for-duty notes—are not PHI. However, information in an employer-sponsored group health plan is PHI and must be kept separate from general Employer Health Information files.

What are some common examples of HIPAA identifiers?

Common identifiers include names, full addresses or precise locations, exact dates tied to a person (other than year), phone numbers, emails, Social Security numbers, medical record numbers, health plan IDs, account numbers, certificate/license numbers, vehicle and device serial numbers, URLs, IP addresses, biometric identifiers, and full-face photos.