Is Protected Health Information (PHI) Protected by HIPAA? Yes—What Counts as PHI and How HIPAA Safeguards It

Yes. The Health Insurance Portability and Accountability Act (HIPAA) protects protected health information (PHI) by setting national privacy and security rules. Below, you’ll learn exactly what counts as PHI and how HIPAA requires organizations to safeguard it throughout its lifecycle.

Definition of Protected Health Information

PHI is individually identifiable health information that relates to your past, present, or future physical or mental health, the care you receive, or payment for that care. It is protected when created, received, maintained, or transmitted by a covered entity or its business associate.

PHI spans formats—paper records, spoken information, images, and electronic PHI (ePHI). Identifiers that can tie data to you include names, addresses, full-face photos, contact details, device and biometric identifiers, medical record numbers, and similar data points.

PHI exists within a designated record set, meaning the medical and billing records and other files a provider or health plan uses to make decisions about you. Your HIPAA access and amendment rights attach to this designated record set.

HIPAA Privacy and Security Standards

The HIPAA Privacy Rule governs when PHI may be used or disclosed. Common permitted purposes include treatment, payment, and health care operations, all subject to the minimum necessary standard. You must receive a privacy practices notice explaining allowed uses, your rights, and how to exercise them.

The HIPAA Security Rule requires safeguards for ePHI. Organizations must assess risk, implement security controls, and continually monitor their environment. Core requirements include access control, auditability, integrity protections, and secure transmission—supported by policies, workforce training, and ongoing risk management.

Roles of Covered Entities and Business Associates

Covered entities include health care providers that conduct certain electronic transactions, health plans, and health care clearinghouses. These organizations create or maintain PHI in the course of delivering or paying for care.

Business associates are service providers that handle PHI on behalf of covered entities—such as cloud hosts, billing services, and analytics vendors. Business associate agreements set the privacy, security, and breach obligations business associates must meet and flow these duties down to their subcontractors.

Administrative Physical and Technical Safeguards

Administrative safeguards

• Perform a risk analysis and implement risk management to reduce risks to ePHI.
• Adopt policies, procedures, and workforce training with role-based access and sanctions for violations.
• Manage vendors with due diligence and business associate agreements, and test incident response plans.

Physical safeguards

• Control facility access, secure workstations, and protect portable devices in transit and storage.
• Use device and media controls for inventory, reuse, and secure disposal of hardware containing ePHI.

Technical safeguards

• Apply unique user IDs, strong authentication, and automatic logoff to limit access to ePHI.
• Enable audit controls and centralized logging to detect inappropriate access or exfiltration.
• Protect integrity and transmission of ePHI with strong encryption standards (for example, AES at rest and TLS in transit) and tamper-evident mechanisms.

Individual Rights under HIPAA

You have the right to access and obtain copies of PHI in your designated record set, including electronic copies when available. Providers generally must respond within 30 days and may charge only reasonable, cost-based fees for copies.

You may request amendments to correct inaccuracies, ask for restrictions on certain disclosures, and direct copies to a third party. You can request confidential communications (like using an alternate address) and must receive a clear privacy practices notice describing these rights and how to file complaints.

Exclusions from PHI under HIPAA

Some information is outside HIPAA’s definition of PHI. De-identified data—where identifiers are removed so you cannot reasonably be identified—is not PHI. Education records covered by FERPA and employment records held by a covered entity in its role as employer are also excluded.

Consumer-generated health data in apps or devices may fall outside HIPAA if the app developer is not a covered entity or business associate. Separate federal and state laws, as well as company privacy policies, may still apply, but HIPAA protections would not.

PHI protections also end 50 years after an individual’s death; after that period, the information is no longer treated as PHI under HIPAA.

Compliance and Audit Requirements

To demonstrate compliance, organizations maintain documentation of risk analyses, policies, training, incident response, and business associate agreements. Routine monitoring, access reviews, encryption standards, and timely breach notification are core operational practices.

HIPAA compliance audits—whether internal assessments or external reviews by regulators—look for evidence that safeguards are implemented and effective. Audit readiness depends on accurate inventories of systems with ePHI, comprehensive logs, and a repeatable process for evaluating and remediating risks.

Conclusion

PHI is protected by HIPAA through clear privacy rules, rigorous security safeguards, and enforceable accountability. When you understand what counts as PHI, who must protect it, and the rights you can exercise, you can better oversee your health information and expect responsible stewardship from organizations that handle it.

FAQs

What information qualifies as protected health information under HIPAA?

PHI includes any individually identifiable health information—medical, billing, or related identifiers—created, received, maintained, or transmitted by a covered entity or business associate. It covers paper, oral, and electronic forms and typically resides in the designated record set used to make decisions about your care.

How does HIPAA protect PHI from unauthorized access?

HIPAA requires administrative, physical, and technical safeguards, ongoing risk management, and the minimum necessary standard. Controls like access management, audit logging, workforce training, and strong encryption standards reduce unauthorized access and help detect and respond to incidents.

Who are covered entities under HIPAA?

Covered entities are health care providers that conduct certain electronic transactions, health plans, and health care clearinghouses. They are directly responsible for complying with the HIPAA Privacy and Security Rules and for managing business associate agreements with vendors that handle PHI on their behalf.

What rights do individuals have over their PHI?

You can access and obtain copies of your PHI, request amendments, ask for restrictions, receive confidential communications, and get a privacy practices notice explaining how your information is used. You may also direct copies to a third party and file complaints if you believe your rights were violated.