HIPAA’s Definition of Protected Health Information (PHI): Scope, Exclusions, and Real‑World Edge Cases

Definition of Protected Health Information

What PHI means under HIPAA

Protected Health Information (PHI) is Individually Identifiable Health Information that is created, received, maintained, or transmitted by a covered entity or its business associate and relates to an individual’s past, present, or future health status, care, or payment for care. PHI can exist in any medium—oral, paper, or electronic (ePHI).

Individually Identifiable Health Information

Information is “individually identifiable” when it either directly identifies a person (for example, name or Social Security number) or could reasonably be used to identify them when combined with other data (such as a unique diagnosis paired with a small ZIP code). Context matters: the same data element may be PHI in a patient portal but not in a public, non-patient webpage.

Scope indicators

• Subject matter: details about health conditions, care delivered, or payment for care.
• Source and custody: held by a covered entity or business associate in connection with healthcare activities.
• Medium: applies uniformly across paper, oral, and electronic records; ePHI additionally triggers HIPAA Security Rule safeguards.
• Use standard: disclosure and access follow the “minimum necessary” principle except for treatment and certain other permitted uses.

Covered Entities and Their Roles

Who is a covered entity

Covered entities include health plans, healthcare providers that conduct standard electronic transactions, and a Healthcare Clearinghouse that translates nonstandard health information to standard formats (and vice versa). Each has independent obligations to safeguard PHI.

Operational responsibilities

Covered entities may use and disclose PHI for treatment, payment, and healthcare operations, and must implement administrative, physical, and technical safeguards. They must also honor individual rights such as access, amendment, and accounting of disclosures.

Working with business associates

Vendors that create, receive, maintain, or transmit PHI on behalf of a covered entity are business associates. Before sharing PHI, the parties must sign a Business Associate Agreement that defines permitted uses, safeguards, breach reporting, and subcontractor flow-down terms.

Exclusions from Protected Health Information

FERPA Exclusion

Education records and certain treatment records maintained by a school subject to FERPA are not PHI. For example, a student’s immunization record kept by the school nurse under FERPA is excluded from HIPAA, while care provided by an affiliated hospital clinic is typically HIPAA-covered.

Employment records held by an employer

Information a covered entity maintains in its role as an employer (for example, workers’ compensation files or reasonable accommodation documentation) is not PHI. The same immunization record could be PHI in the clinic but an employment record in HR.

De-identified information

Data de-identified under HIPAA’s Safe Harbor Method or via Expert Determination is not PHI. Aggregate statistics that cannot identify a person fall outside HIPAA, though re-identification controls must be maintained.

Information about decedents after 50 years

HIPAA protections end 50 years after an individual’s death. Records older than that window are not PHI, though ethical and other legal considerations may still apply.

Limited Data Set nuance

A Limited Data Set excludes direct identifiers but can include dates and certain geographic details. It remains PHI and may be disclosed only for research, public health, or operations under a Data Use Agreement.

De-Identification Methods and Standards

The two recognized pathways

HIPAA recognizes two paths to de-identification: the Safe Harbor Method, which removes specific identifiers, and Expert Determination, which uses statistical techniques to reduce re-identification risk to a very small level.

Safe Harbor Method (18 identifiers)

• Names.
• Geographic subdivisions smaller than a state (street, city, county, precinct, ZIP code; the first 3 ZIP digits may be retained when the population threshold is met; otherwise use 000).
• All elements of dates (except year) for dates directly related to an individual; ages over 89 must be grouped as “90 or older.”
• Telephone numbers and fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record and health plan beneficiary numbers.
• Account and certificate/license numbers.
• Vehicle identifiers, including license plates.
• Device identifiers and serial numbers.
• Web URLs and IP addresses.
• Biometric identifiers (for example, fingerprints, voiceprints).
• Full-face photos and comparable images.
• Any other unique identifying number, characteristic, or code (except a permitted re-identification code that is not derived from the data).

Expert Determination

An expert applies accepted statistical or scientific principles to determine and document that the risk of re-identification is very small. The expert should describe assumptions, techniques, and controls (for example, k-anonymity, l-diversity, or differential privacy) and recommend ongoing risk management.

Limited Data Set versus de-identified data

A Limited Data Set is not de-identified: it still contains dates and some locations and therefore remains PHI, but it can be shared for specific purposes with a Data Use Agreement. Fully de-identified data is outside HIPAA and can be used or disclosed without HIPAA restrictions.

Real-World Edge Cases in PHI Protection

Consumer health apps and wearables

Data in a personal health app is usually outside HIPAA unless the app provides services on behalf of a covered entity under a Business Associate Agreement. The same heart rate data can be PHI if populated from a provider’s EHR into the app, but not PHI when tracked solely for personal use.

Telehealth platforms and metadata

Call logs, chat transcripts, device IP addresses, and session IDs managed by a telehealth vendor are PHI when the vendor acts as a business associate. If a general videoconference tool is used without a BAA, transmitting PHI through it may violate HIPAA even if streams are encrypted.

Photos, video, and ambient capture

Full-face images, whiteboard shots showing patient names, or hallway videos with readable wristbands are PHI. Images scrubbed of identifiers may still be PHI if the setting or context could reasonably identify the patient (for example, a rare procedure in a small town).

Employer programs and on-site clinics

Wellness program data run by a group health plan is PHI; the same metrics collected by an employer outside the plan are employment records, not PHI. An employer-operated on-site clinic that bills insurers is typically a covered provider and must treat clinic records as PHI.

Students, campuses, and dual regimes

University medical centers are HIPAA covered, but a student health record maintained by the university under FERPA is excluded from HIPAA. Coordination between the hospital and registrar requires careful boundary controls to avoid improper PHI sharing.

Genetic data and biospecimens

Genomic sequences linked to identifiers are PHI. Even coded biospecimens may be PHI if a covered entity or business associate holds the key that links the code to individuals.

Incidental disclosures and BYOD

Incidental disclosures (overheard names at a nursing station) are permissible only when reasonable safeguards and minimum-necessary practices are in place. On personal devices, PHI requires access controls, encryption, and sanctioned apps to prevent unapproved syncing or cloud backups.

Hybrid Entities and Compliance

What Hybrid Entity Designation means

A hybrid entity performs both covered and non-covered functions and formally designates its healthcare components. Only those components are subject to HIPAA for their operations, but the entity must erect and maintain boundaries that prevent impermissible PHI flow.

How to implement the designation

• Identify covered functions and supporting components that need PHI access.
• Document the Hybrid Entity Designation and keep it current as operations change.
• Segment systems, workforce, and vendors; apply “need to know” access and data-sharing rules.
• Treat other internal units as business associates if they provide services to healthcare components.

Common examples

Universities with medical centers, municipal governments with public hospitals, and retailers operating in-store clinics often adopt a hybrid model to avoid applying HIPAA to the entire enterprise.

Pitfalls to avoid

If you fail to designate or maintain boundaries, regulators may treat the whole organization as a covered entity. Inventory PHI data flows and audit access routinely to verify separation holds in practice.

Business Associates Responsibilities

Who qualifies as a business associate

Cloud hosting providers, EHR vendors, billing services, analytics firms, and telehealth platforms that handle PHI on behalf of a covered entity are business associates—even if they never view unencrypted data.

Business Associate Agreement essentials

• Permitted and required uses/disclosures of PHI and explicit prohibitions.
• Administrative, physical, and technical safeguards aligned to the HIPAA Security Rule.
• Subcontractor “flow-down” obligations and right-to-audit provisions.
• Incident and breach reporting duties, timeframes, and cooperation terms.
• Return or destruction of PHI at termination and limits on retention.

Safeguards and breach notification

Business associates must manage risk, control access, encrypt data at rest and in transit, monitor logs, train workforce members, and conduct periodic evaluations. They must report breaches to the covered entity without unreasonable delay and no later than 60 days after discovery.

Practical controls that stand up in audits

• Strong identity and access management, including MFA and least privilege.
• Network segmentation, vulnerability management, and secure software development practices.
• Data loss prevention for emails, APIs, and storage; tested backup and recovery.
• Documented risk assessments, vendor due diligence, and tabletop breach exercises.

Conclusion

Understanding HIPAA’s definition of PHI hinges on context: who holds the data, what it describes, and how identifiable it is. Clear scoping, rigorous de-identification, correct Hybrid Entity Designation, and well-crafted Business Associate Agreements keep compliance aligned with real-world workflows.

FAQs.

What information qualifies as protected health information under HIPAA?

PHI is Individually Identifiable Health Information related to a person’s health, care, or payment for care that is held or transmitted by a covered entity or business associate. It includes direct identifiers (like names) and indirect identifiers (like small-area geography paired with diagnoses) across paper, oral, and electronic formats.

How are de-identified data distinguished from PHI?

Data are not PHI if they have been de-identified via HIPAA’s Safe Harbor Method (removing specified identifiers with required rules for ZIP codes and dates) or through Expert Determination that documents a very small re-identification risk. A Limited Data Set is still PHI and requires a Data Use Agreement.

Are personal health apps covered by HIPAA?

Generally no. Consumer apps and devices are outside HIPAA unless they handle data on behalf of a covered entity under a Business Associate Agreement. When an app integrates with a provider’s system under a BAA, the information it processes in that role is PHI.

What are the responsibilities of business associates regarding PHI?

Business associates must implement HIPAA Security Rule safeguards, use and disclose PHI only as permitted by contract and law, manage subcontractors, and report breaches to the covered entity without unreasonable delay (no later than 60 days after discovery). They must also return or destroy PHI at contract end where feasible.