Is PHI Protected Under HIPAA? What’s Protected (and What Isn’t)

Understanding what counts as Protected Health Information (PHI) under the HIPAA Privacy Rule helps you distinguish what’s safeguarded and what falls outside the law’s scope. In this guide, you’ll learn exactly what is protected, what isn’t, and how data de-identification changes your obligations. The goal is clear patient data protection and practical compliance.

Definition of Protected Health Information

PHI is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or its business associate. It relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care, or payment for care—and either directly identifies the person or can reasonably be used to identify them.

PHI is protected regardless of format: electronic (ePHI), paper, or oral. If information meets the identifiability threshold and sits within a covered entity/business associate context, HIPAA protects it and expects health information security controls.

Key elements

• Identifiability: Data that names a person or could identify them when combined with other information.
• Health context: Data about health status, care delivery, or payment for care.
• Entity relationship: Data handled by a covered entity or business associate triggers covered entity obligations.

HIPAA’s 18 Identifiers List

HIPAA outlines 18 direct identifiers that must be removed for Safe Harbor de-identification. When present with health information, these make the data PHI:

1. Names.
2. All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code), except the initial three digits of a ZIP code when the combined area has more than 20,000 people; otherwise replace with 000.
3. All elements of dates (except year) for dates directly related to an individual (e.g., birth, admission, discharge, death), and all ages over 89 (aggregate as 90+).
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers (e.g., finger and voice prints).
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code (except as permitted for re-identification).

Forms and Formats of PHI

PHI appears in many forms: electronic health records, lab results, images, claims, referral notes, and billing statements. It also includes oral communications (e.g., a handoff report), paper charts, appointment calendars tied to patients, device data stored in EHRs, and unstructured text in clinical notes.

Don’t overlook metadata and logs that reference patient identifiers, clinical images and waveforms, voicemail messages, patient portal messages, and backups in cloud storage. All of these require appropriate HIPAA compliance requirements and health information security safeguards.

Exclusions from PHI Definition

Not all health-related data is PHI. The following are excluded from HIPAA’s PHI definition:

• De-identified data: Information de-identified under HIPAA’s Safe Harbor or Expert Determination methods.
• FERPA education records: Student education records (and applicable treatment records) protected by FERPA, not HIPAA.
• Employment records: Records a covered entity holds in its role as an employer (e.g., HR files), even if they include health information.
• Consumer data outside HIPAA context: Health data in apps or devices that are not acting for a covered entity or business associate (though other laws may apply).
• Information about decedents after 50 years: Individually identifiable health information of a person deceased for more than 50 years.
• Aggregated, non-identifiable statistics: Summaries that cannot reasonably identify an individual.

Importance of PHI Compliance

Getting PHI right protects patients, strengthens trust, and reduces enforcement risk. The HIPAA Privacy Rule sets when you may use or disclose PHI and requires the minimum necessary standard. The Security Rule expects administrative, physical, and technical safeguards for ePHI, aligning security with actual risk.

Practical benefits of compliance

• Consistent patient data protection across systems and vendors.
• Reduced breach impact through access controls, encryption, and auditing.
• Clear processes for authorizations, individual rights, and disclosures.
• Demonstrable covered entity obligations performance during audits or investigations.

De-identification Standards

De-identification is a cornerstone of data de-identification strategy. Properly de-identified data is not PHI and falls outside the HIPAA Privacy Rule—though you should still manage re-identification risk contractually and technically.

Two permitted methods

• Safe Harbor: Remove all 18 identifiers and have no actual knowledge that remaining information could identify an individual.
• Expert Determination: A qualified expert applies statistical or scientific principles and documents that the risk of re-identification is very small, with controls to sustain that risk level.

Cautions and good practices

• Free-text fields may contain hidden identifiers; profile and scrub them.
• Use robust pseudonyms/codes stored separately; avoid codes derived from personal data.
• For limited data sets (LDS), remember they are still PHI and require a Data Use Agreement.

Role of Covered Entities

Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. Business associates are vendors or partners that handle PHI for covered entities. Both must implement appropriate safeguards and follow HIPAA compliance requirements.

Core responsibilities

• Use/disclosure rules: Permit PHI use for treatment, payment, and health care operations; obtain authorization for most other purposes.
• Minimum necessary: Limit PHI to the least needed for the task.
• Security safeguards: Implement access controls, audit controls, integrity protections, and contingency plans tailored to risk.
• Business associate management: Execute BAAs, monitor performance, and flow obligations to subcontractors.
• Individual rights: Provide access, amendments, and an accounting of disclosures as required.

Summary

In short, PHI is individually identifiable health information handled by covered entities and business associates. Knowing the 18 identifiers, common exclusions, and de-identification paths helps you apply the HIPAA Privacy Rule consistently and operate a practical, risk-based health information security program.

FAQs

What information qualifies as PHI under HIPAA?

PHI is health-related information that identifies an individual (or could reasonably identify them) and is created, received, maintained, or transmitted by a covered entity or business associate. It spans clinical details, billing data, and any associated identifiers in electronic, paper, or oral form.

Are education records considered PHI?

No. Education records (and certain student treatment records) protected by FERPA are not PHI under HIPAA. If a school provides health care to students and maintains records subject to FERPA, those records fall outside HIPAA’s PHI framework.

How does de-identification affect PHI status?

Once data is properly de-identified under Safe Harbor or Expert Determination, it is no longer PHI and the HIPAA Privacy Rule no longer applies to that dataset. You should still manage re-identification risk with technical and contractual controls.

What entities must protect PHI under HIPAA?

Covered entities—health plans, health care clearinghouses, and qualifying health care providers—and their business associates must protect PHI. Their obligations include privacy controls, minimum necessary use, and security safeguards tailored to risk.