Is PHI Protected Health Information? Definition, Examples, and HIPAA Rules

Definition of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA covered entity or its business associate. PHI relates to an individual’s past, present, or future physical or mental health, health care, or payment for health care and can reasonably be used to identify the person. PHI may exist in any form—paper, electronic (ePHI), or oral.

Who is regulated

Covered Entities include health plans, most health care providers that transmit standard transactions electronically, and health care clearinghouses. Business associates are vendors or service providers that create, receive, maintain, or transmit PHI on behalf of covered entities. Both must protect PHI under the HIPAA Privacy Rule.

Examples of PHI Identifiers

Under HIPAA’s Safe Harbor De-identification Standards, the following Protected Health Information Identifiers are considered direct identifiers. If any are present in health data held by a covered entity or business associate, the data is PHI:

• Names.
• Geographic subdivisions smaller than a state (for example, street address, city, county, precinct, ZIP code).
• All elements of dates (except year) directly related to an individual, including birth, admission, discharge, death; ages over 89 are aggregated.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate or license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (for example, finger or voice prints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Clinical details (such as diagnoses, lab values, or treatment notes) become PHI when they can be linked to an individual through these identifiers or by reasonable inference.

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule establishes when PHI may be used or disclosed and grants individuals specific rights. It applies to Covered Entities and, through contracts, to business associates that handle PHI on their behalf.

Permitted uses and disclosures

PHI may be used or disclosed without authorization for treatment, payment, and health care operations (TPO). Additional permitted disclosures include certain public health activities, health oversight, and as required by law. Outside these purposes, a valid, signed authorization is generally required.

Core principles

• Minimum necessary: use or disclose only the PHI needed for the task.
• Notice of Privacy Practices: inform individuals how their PHI is used and their rights.
• Individual rights: access, obtain copies, request amendments, request restrictions, and receive an accounting of certain disclosures.
• Administrative requirements: policies, workforce training, and safeguards tailored to risk.

Exceptions and Exclusions to PHI

Not all health-related information is PHI. The following are common exclusions and boundaries:

• De-identified data: information that meets HIPAA De-identification Standards is not PHI.
• Education records: student health records protected by FERPA are excluded.
• Employment records: health information maintained by an employer (even a health system) in its role as employer is not PHI.
• Records of persons deceased more than 50 years: these are no longer PHI.
• Consumer apps not acting for a Covered Entity: data held solely by a direct-to-consumer app or wearable, when not acting on behalf of a covered entity or business associate, generally falls outside HIPAA.

Business Associates and PHI Safeguards

Business associates must protect PHI they handle for Covered Entities and flow down the same duties to subcontractors. A Business Associate Agreement (BAA) defines permitted uses, required safeguards, breach reporting, and termination obligations.

Required safeguards

• Administrative: risk analysis, workforce training, access management, and incident response.
• Physical: facility access controls, device/media protection, and secure disposal.
• Technical: unique user IDs, access controls, encryption, audit logging, and transmission security.
• Minimum necessary and role-based access: limit PHI to what users need to perform their function.
• Breach notification: promptly notify the covered entity consistent with the HIPAA Breach Notification Rule.

De-identified Information Standards

HIPAA recognizes two primary De-identification Standards. Properly de-identified data is no longer PHI and may be used or shared outside HIPAA, subject to other applicable laws and contracts.

Safe Harbor method

• Remove the 18 direct identifiers listed above.
• Ensure the covered entity and business associate have no actual knowledge that the remaining information could identify the individual.

Expert Determination method

• A qualified expert applies accepted statistical or scientific methods to determine and document a very small risk of re-identification.
• Mitigation controls (for example, generalization, suppression, or perturbation) are documented and maintained over time.

Limited Data Set (LDS)

An LDS removes most direct identifiers but may retain city, state, ZIP code, and certain dates. It remains regulated PHI and requires a Data Use Agreement specifying allowed purposes, safeguards, and prohibitions on re-identification.

Compliance Requirements for Covered Entities

Covered Entities must implement a privacy and security program scaled to their risk. Start with an enterprise-wide risk analysis, then adopt policies, procedures, and controls that address identified gaps and ensure ongoing governance.

• Designate privacy and security officials responsible for HIPAA oversight.
• Publish and distribute a compliant Notice of Privacy Practices.
• Train workforce members initially and periodically; apply sanctions for violations.
• Execute Business Associate Agreements with all vendors handling PHI; manage subcontractor risk.
• Apply the minimum necessary standard, role-based access, and auditing across systems containing ePHI.
• Maintain incident response and breach notification processes, including documentation and timely reporting.
• Retain required documentation for the period specified by HIPAA and applicable state laws.

In short, PHI is individually identifiable health information protected by the HIPAA Privacy Rule. Understanding identifiers, permitted uses, exclusions, safeguards, and de-identification pathways allows you to handle PHI lawfully while supporting care, operations, and innovation.

FAQs.

What constitutes protected health information?

PHI is individually identifiable health information created or received by a Covered Entity or business associate that relates to health status, care, or payment and could identify the individual. It includes clinical details and any associated identifiers in paper, electronic, or oral form.

How does HIPAA protect PHI?

The HIPAA Privacy Rule limits when PHI can be used or disclosed, requires the minimum necessary standard, and grants individual rights like access and amendment. Through policies, training, and safeguards, Covered Entities and business associates must prevent unauthorized uses and disclosures and respond to incidents.

What information is excluded from PHI?

De-identified data that meets HIPAA standards, education records under FERPA, employment records held by an employer, and records of individuals deceased for more than 50 years are not PHI. Data held solely by consumer apps outside a HIPAA relationship also generally falls outside PHI.

How must business associates handle PHI?

Business associates must comply with their Business Associate Agreements, use or disclose PHI only for permitted purposes, implement administrative, physical, and technical safeguards, ensure subcontractor compliance, apply minimum necessary access, and promptly notify covered entities of security incidents or breaches.