HIPAA Protected Health Information (PHI) Explained: What Counts, What Doesn’t, and Compliance Basics

Definition of PHI

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is any individually identifiable health information created, received, maintained, or transmitted by Covered Entities or their Business Associates. It includes past, present, or future health status, the provision of health care, or payment for care, when the individual can be identified.

PHI can exist in any medium—electronic, paper, or oral. If the information can reasonably identify a person and relates to health care or payment, and it is handled by a Covered Entity or Business Associate, it is PHI.

Forms of PHI

Electronic PHI (ePHI)

ePHI includes electronic health records, patient portal messages, claims data, scheduling systems, imaging files, remote patient monitoring feeds, audit logs containing identifiers, and backups. The HIPAA Security Rule governs how you protect ePHI.

Paper PHI

Paper PHI includes printed charts, superbills, referral forms, explanation-of-benefits printouts, intake forms, and notes that contain identifiers. Printed reports and labels tied to an individual also qualify.

Spoken PHI

Conversations, voicemails, and telephone disclosures that connect a person to health information are PHI. You must safeguard spoken exchanges in public or shared spaces to avoid impermissible disclosures.

Visual and Other Modalities

Photographs, videos, full-face images, device serial numbers tied to a patient, and even barcodes can be PHI when they can identify the individual and relate to health care or payment.

18 Identifiers of PHI

1. Names.
2. Geographic subdivisions smaller than a state (for example, street address, city, county, precinct, and ZIP code).
3. All elements of dates (except year) directly related to an individual (for example, birth, admission, discharge, and death dates; ages over 89 must be aggregated as 90+).
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate and license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP addresses.
16. Biometric identifiers (for example, finger and voice prints).
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code that could identify the individual.

Exclusions from PHI

Some information is not PHI even if it concerns health:

• Education records covered by FERPA and related treatment records held by a school.
• Employment records held by a Covered Entity in its role as employer (for example, FMLA paperwork in HR files).
• Information about a person deceased for more than 50 years.
• Information that is de-identified in accordance with HIPAA (see “De-identified Information”).
• Data not created, received, maintained, or transmitted by a Covered Entity or Business Associate—for example, a consumer fitness app that is not offered on behalf of a provider or health plan. If that app operates for a Covered Entity, the data may become PHI.
• Aggregated statistics that cannot reasonably identify an individual.

Note: A “limited data set” removes certain direct identifiers but is still PHI and may be used or disclosed only under a Data Use Agreement for research, public health, or health care operations.

De-identified Information

Safe Harbor Method

Information is de-identified when the 18 identifiers are removed and the Covered Entity or Business Associate has no actual knowledge that the remaining information can identify the person. This includes special rules such as grouping ages 90 and above and limiting geographic detail.

Expert Determination Method

A qualified expert can apply statistical or scientific principles to determine that the risk of re-identification is very small. The expert documents methods and results, and the organization implements safeguards to prevent re-identification.

Limited Data Set vs. De-identified Data

A limited data set may retain some elements (for example, dates and some geography) but excludes direct identifiers like names and full addresses. It is still PHI and requires a Data Use Agreement; fully de-identified data is not PHI and is not subject to HIPAA.

Re-identification Codes

HIPAA permits using a unique code to re-identify records internally, provided the code is not derived from identifiers and is not disclosed externally.

Compliance Basics

Who Must Comply

Covered Entities (health care providers, health plans, and health care clearinghouses) and their Business Associates must comply with HIPAA. Business Associates and their subcontractors need written Business Associate Agreements that define permitted uses and safeguards for PHI.

HIPAA Privacy Rule Essentials

The HIPAA Privacy Rule governs when you may use or disclose PHI. Common permissible disclosures include Treatment, Payment, and Health Care Operations. You must follow the minimum necessary standard, furnish a Notice of Privacy Practices, and honor individual rights (access, amendments, accounting of disclosures, restrictions, and confidential communications).

HIPAA Security Rule Essentials

The HIPAA Security Rule requires protection of ePHI through Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Conduct a documented risk analysis, manage risks, train your workforce, and implement policies and procedures that match your environment.

Administrative Safeguards

• Risk analysis and risk management, workforce training, sanctions, contingency planning, and vendor oversight through Business Associate management.
• Role-based access aligned to the minimum necessary standard and periodic access reviews.

Physical Safeguards

• Facility access controls, workstation use and security, device and media controls, and secure disposal or re-use of hardware.
• Protections for on-site, remote, and mobile environments (for example, locking screens and secured storage).

Technical Safeguards

• Unique user IDs, strong authentication (for example, multi-factor), automatic logoff, and audit controls.
• Integrity protections and transmission security; encryption is “addressable” but strongly expected for data at rest and in transit.

Breach Notification Rule

When unsecured PHI is impermissibly used or disclosed, perform a risk assessment. If a breach is not excluded, notify affected individuals without unreasonable delay and no later than 60 days after discovery, and notify HHS (and, when 500 or more individuals in a state or jurisdiction are affected, the media). Strong encryption can qualify as a safe harbor.

Practical Steps to Demonstrate Compliance

• Map PHI data flows, maintain an inventory of systems, and document policies and procedures.
• Use least privilege, multi-factor authentication, encryption, and endpoint protection; monitor with audit logs and alerts.
• Train your workforce annually, test incident response, and rehearse breach notification.
• Execute and manage Business Associate Agreements; verify vendors’ safeguards and remediate gaps.
• Secure BYOD with mobile device management, remote wipe, and clear usage rules; sanitize and document media disposal.

Conclusion

HIPAA Protected Health Information (PHI) hinges on identifiability, health context, and who handles the data. Know the 18 identifiers, apply de-identification appropriately, and implement the HIPAA Privacy Rule and HIPAA Security Rule with robust Administrative, Physical, and Technical Safeguards. With clear policies, training, and vigilant oversight of Business Associates, you can reduce risk and meet compliance obligations.

FAQs.

What information is considered PHI under HIPAA?

PHI is individually identifiable health information created, received, maintained, or transmitted by a Covered Entity or Business Associate that relates to health status, care, or payment. If a data element can identify a person—directly or indirectly—through one of the 18 identifiers and it pertains to health care or payment in the hands of a Covered Entity or Business Associate, it is PHI.

How is de-identified information different from PHI?

De-identified information has been processed so an individual cannot reasonably be identified. Under HIPAA, this is achieved either by removing all 18 identifiers (Safe Harbor) or obtaining a documented Expert Determination that the re-identification risk is very small. Fully de-identified data is not PHI; a limited data set is still PHI and requires a Data Use Agreement.

What are the compliance requirements for protecting PHI?

Covered Entities and Business Associates must follow the HIPAA Privacy Rule and HIPAA Security Rule. Core requirements include the minimum necessary standard, individual rights, risk analysis, and documented Administrative, Physical, and Technical Safeguards. Organizations must train staff, manage vendors through Business Associate Agreements, maintain audit controls, encrypt ePHI where appropriate, and follow the Breach Notification Rule when incidents occur.