Is PHI Protected Health Information Under HIPAA? Yes—Definition, Examples, and What’s Covered

Short answer: yes. PHI—protected health information—is the core data set safeguarded by HIPAA. It captures any health-related details that identify you or could reasonably identify you, whether stored electronically, on paper, or spoken.

This guide explains what counts as PHI, what does not, who must protect it, and how HIPAA’s Privacy and Security Rules work together to preserve health information privacy. You’ll also see practical safeguards, compliance requirements, and your rights over your information.

Definition of PHI

PHI (protected health information) is a subset of individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associate. It relates to your past, present, or future physical or mental health, the provision of care, or payment for care—and it directly identifies you or could be used to identify you.

Individually Identifiable Health Information (IIHI)

IIHI includes details like names, contact information, medical record numbers, and other identifiers when tied to health data. PHI is simply IIHI in the hands of a covered entity or business associate, in any medium: electronic (ePHI), paper, or oral.

When information becomes PHI

• It originates with, or is held by, a covered entity (for example, a provider, health plan, or clearinghouse) or a business associate acting for them.
• It has a health context (condition, treatment, or payment).
• It identifies an individual or has a reasonable basis to do so.

Examples of PHI

PHI spans clinical, administrative, and billing data that can identify you. Common examples include:

Direct identifiers linked to health data

• Name, postal address, phone number, email address.
• Social Security number, medical record number, health plan beneficiary number.
• Full-face photos and comparable images.

Clinical and payment information

• Diagnoses, lab results, imaging reports, visit notes, prescriptions, and care plans.
• Appointment schedules, referral authorizations, claim forms, and explanation-of-benefits details.

Digital and device identifiers when tied to care

• Device serial numbers, IP addresses, and URLs contained in the medical record or patient portal logs.
• Wearable or remote monitoring data when a covered entity or business associate collects or manages it for treatment or operations.

Exclusions from PHI

Some information is not PHI—even if it seems health-related—because HIPAA carves out explicit exclusions:

• De-identified data meeting HIPAA De-Identification Standards: either expert determination shows minimal re-identification risk, or the “Safe Harbor” method removes specified identifiers (for example, names, precise geolocation, full-face photos, many device and contact identifiers).
• Education records and certain treatment records covered by FERPA.
• Employment records held by a covered entity in its role as employer (e.g., FMLA paperwork kept by HR).
• Information about individuals deceased for more than 50 years.
• Consumer-generated health data that is not created, received, maintained, or transmitted by a covered entity or business associate (though other privacy laws may apply).

Covered Entities and Business Associates

A covered entity is a health plan, a healthcare clearinghouse, or a healthcare provider who transmits health information electronically in standard transactions. These organizations must comply with HIPAA’s Privacy, Security, and Breach Notification Rules.

Business associates are vendors or partners that create, receive, maintain, or transmit PHI on a covered entity’s behalf—such as EHR providers, billing services, cloud hosting platforms, or analytics firms. Covered entities must execute a Business Associate Agreement (BAA) that defines permitted uses/disclosures, security requirements, breach reporting, subcontractor obligations, and PHI return or destruction at contract end.

HIPAA Compliance Requirements

Compliance centers on policies, technical and physical safeguards, workforce practices, and documentation that collectively protect PHI and support health information privacy. Key pillars include:

• Privacy Rule: governs permissible uses/disclosures and individual rights; requires Notice of Privacy Practices and role-based access aligned with the Minimum Necessary Standard.
• HIPAA Security Rule: applies to ePHI; requires risk analysis, risk management, access controls, audit controls, integrity protections, transmission security, and contingency planning.
• Breach Notification Rule: mandates risk assessment of incidents and timely notifications to affected individuals, HHS, and sometimes the media.
• Enforcement and documentation: implement policies and procedures, train the workforce, designate privacy and security officials, and maintain records of compliance activities.

The Minimum Necessary Standard requires limiting PHI uses, disclosures, and requests to the least amount needed for the purpose—except for certain situations (for example, disclosures to the individual, for treatment, or when required by law).

Safeguards for PHI

HIPAA frames safeguards in three categories. A risk analysis should guide which controls you adopt and how you implement them.

Administrative safeguards

• Risk analysis and risk management; sanctions for violations; workforce training and awareness.
• BAA management; incident response and breach notification procedures.
• Contingency plans: data backup, disaster recovery, and emergency mode operations.

Physical safeguards

• Facility access controls; visitor management; secure server rooms and wiring closets.
• Workstation security and device/media controls, including secure disposal and re-use procedures.

Technical safeguards

• Unique user IDs, role-based access, and automatic logoff; strong authentication (e.g., multifactor).
• Audit logging and regular review; integrity monitoring and anti-malware.
• Encryption in transit and at rest; secure configuration and patch management.

Rights of Individuals Regarding PHI

HIPAA grants you meaningful control over your PHI. Covered entities must operationalize these rights and respond within required timelines.

• Right of access and copies in a readily producible format (including electronic copies of ePHI); fees must be reasonable and cost-based.
• Right to request amendments to correct or clarify records; denials require a written explanation and an opportunity to submit a statement of disagreement.
• Right to request restrictions on certain uses/disclosures; providers must honor restrictions on disclosures to a health plan when you pay in full out of pocket.
• Right to request confidential communications (for example, alternate address or phone).
• Right to an accounting of certain disclosures.
• Right to receive a Notice of Privacy Practices and to file a complaint without retaliation.

Summary

PHI is individually identifiable health information handled by a covered entity or business associate. HIPAA requires privacy practices, the HIPAA Security Rule’s safeguards for ePHI, breach response, BAAs, and adherence to the Minimum Necessary Standard—while giving you clear rights to access, control, and understand how your information is used.

FAQs

What is considered protected health information under HIPAA?

PHI is health-related information that identifies you (or could reasonably identify you) and is created, received, maintained, or transmitted by a covered entity or its business associate. It spans clinical details, billing and payment data, and direct identifiers in any form—electronic, paper, or oral.

How is PHI different from general personal information?

General personal information (like a name on its own) becomes PHI when it is linked to health data and held by a covered entity or business associate. HIPAA regulates PHI with specific privacy, security, and breach rules—distinct from other laws that may govern non-HIPAA personal data.

Which entities must comply with PHI protections?

Covered entities—health plans, healthcare clearinghouses, and most providers that conduct standard electronic transactions—must comply. Their vendors that handle PHI (business associates and their subcontractors) must also comply via a Business Associate Agreement and HIPAA’s Security and Breach Notification requirements.

What types of information are excluded from PHI?

De-identified data meeting HIPAA’s De-Identification Standards, education records covered by FERPA, employment records held by an employer, information about individuals deceased for more than 50 years, and consumer health data not created or received by a covered entity or business associate are excluded from PHI—though other privacy laws may still apply.