Navigating PHI: Comprehensive Guide to Protected Health Information Under HIPAA

Definition of Protected Health Information

Protected Health Information (PHI) is Individually Identifiable Health Information related to a person’s past, present, or future physical or mental health, the provision of care, or payment for care. It becomes PHI when created, received, maintained, or transmitted by a Covered Entity or its Business Associate, in any form—paper, electronic, or oral.

Who is covered

• Covered Entity: health plans, health care clearinghouses, and providers that conduct standard electronic transactions.
• Business Associate: a person or organization that performs services for a Covered Entity involving PHI (for example, billing, analytics, cloud hosting).

What makes information “identifiable”

Information is identifiable when it includes direct or indirect identifiers that can reasonably be used to determine the individual’s identity, especially when combined with health-related details.

Examples of PHI

PHI is contextual: the same data can be PHI when held by a Covered Entity or Business Associate but not when held solely for personal use. Common examples include:

• Names, addresses, phone numbers, emails linked to diagnoses, treatments, or claim details.
• Medical record numbers, account numbers, insurance member IDs, and health plan beneficiary numbers.
• Clinical data such as lab results, imaging, prescriptions, problem lists, and visit notes.
• Appointment dates, admission/discharge dates, and birth or death dates when tied to an individual’s health record.
• Biometric identifiers and full-face photos used in a care context.
• Device IDs, IP addresses, and URLs collected through patient portals or apps provided by a Covered Entity.
• Claims, invoices, and payment data that reference an identifiable patient.

Exclusions from PHI

• De-identified information meeting HIPAA’s de-identification standard (explained below).
• Education records and certain student treatment records covered by FERPA.
• Employment records maintained by a Covered Entity in its role as employer.
• Health information about a person deceased for more than 50 years.
• Data collected or held by a non-HIPAA entity solely for personal use and not on behalf of a Covered Entity or Business Associate.

De-Identification of PHI

De-identified data is not PHI. HIPAA recognizes two methods:

1) Safe Harbor method

Remove all of the following 18 identifiers and have no actual knowledge that the remaining information could identify the individual:

• Names
• Geographic subdivisions smaller than a state (with limited zip code exceptions)
• All elements of dates (except year) related to an individual; ages 90+ must be aggregated
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and license plate numbers
• Device identifiers and serial numbers
• Web URLs
• IP address numbers
• Biometric identifiers (for example, fingerprints, voiceprints)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code

2) Expert Determination method

A qualified expert applies statistical or scientific principles to determine that the risk of re-identification is very small and documents the methods and results. Re-identification codes, if used, must not be derived from personal information and must be kept separately.

HIPAA Privacy Rule Overview

The Privacy Rule governs how Covered Entities and Business Associates use and disclose PHI and grants individuals rights over their information. Permitted uses include treatment, payment, and health care operations; most other uses require written authorization. The “minimum necessary” standard applies to routine uses and disclosures.

Individual rights

• Access and obtain copies of PHI in a designated record set, including electronic copies when available.
• Request amendments to inaccurate or incomplete PHI.
• Receive an accounting of certain disclosures.
• Request restrictions and confidential communications (for example, alternate address or phone).
• Receive a Notice of Privacy Practices explaining uses, rights, and contacts.

HIPAA Security Rule Standards

The Security Rule applies to electronic PHI (ePHI) and requires risk-based safeguards. Standards include required and addressable implementation specifications across three categories.

Administrative Safeguards

• Risk analysis and risk management, security official assignment, and policies/procedures.
• Workforce training, role-based access, sanctions, and vendor/Business Associate oversight.
• Contingency planning, data backup, disaster recovery, and incident response.

Physical Safeguards

• Facility access controls, workstation security, device/media controls, and secure disposal.

Technical Safeguards

• Access controls (unique IDs, MFA, automatic logoff), audit controls, and integrity protections.
• Transmission security (encryption in transit), encryption at rest where appropriate, and authentication.

Breach Notification Requirements

The Breach Notification Rule requires notice following a breach of unsecured PHI. A breach is an impermissible acquisition, access, use, or disclosure that compromises privacy or security, unless a documented risk assessment shows a low probability of compromise.

Four-factor risk assessment

• The nature and extent of PHI involved.
• The unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated.

Who to notify and when

• Individuals: without unreasonable delay and no later than 60 days after discovery.
• Media and the Secretary of HHS for breaches affecting 500 or more residents of a state or jurisdiction.
• For fewer than 500 affected individuals, log and report to HHS within 60 days of the end of the calendar year.
• Business Associates must notify the Covered Entity without unreasonable delay (no later than 60 days) with details to support individual notifications.

Notices must include what happened, types of PHI involved, steps individuals should take, actions taken to mitigate harm, and contact information.

Enforcement and Penalties under HIPAA

The Office for Civil Rights Enforcement at HHS investigates complaints, breach reports, and conducts compliance reviews. Outcomes may include technical assistance, corrective action plans with monitoring, or civil monetary penalties. The civil penalty structure is tiered based on culpability, with per-violation amounts and annual caps adjusted for inflation.

Willful neglect that is not corrected carries the highest penalties. Criminal penalties may apply for knowingly obtaining or disclosing PHI, with enhanced penalties for false pretenses or intent to sell or use PHI for personal gain or malicious harm. State Attorneys General may also bring civil actions on behalf of residents.

Recent Updates to HIPAA Regulations

Recent activity has focused on clarifying privacy protections and strengthening security expectations. Key themes include:

• Reproductive health privacy: strengthened limits on using or disclosing PHI to investigate or prosecute lawful reproductive health care, plus new attestation requirements for certain disclosures.
• Alignment with 42 CFR Part 2: closer harmonization of substance use disorder confidentiality rules with the HIPAA Privacy Rule and the Breach Notification Rule.
• Tracking technologies: guidance emphasizing that data from pixels, cookies, and SDKs on patient-facing sites or apps can be PHI when linked to care, requiring appropriate safeguards and Business Associate agreements.
• Recognized security practices: OCR considers implementation of industry-recognized security frameworks over the preceding 12 months when evaluating enforcement and mitigation.
• Return to standard telehealth compliance: post-emergency, routine HIPAA requirements apply to remote communications and telehealth workflows.

Conclusion

Understanding what constitutes PHI, how it may be used or disclosed, and how to safeguard it is fundamental to HIPAA compliance. By applying the Privacy and Security Rules, preparing for the Breach Notification Rule, and monitoring regulatory updates, you can protect individuals’ rights while enabling safe, effective health care operations.

FAQs

What information qualifies as PHI under HIPAA?

PHI is Individually Identifiable Health Information related to health, care delivery, or payment that is created, received, maintained, or transmitted by a Covered Entity or Business Associate. It includes identifiers (for example, name, MRN, contact details) when linked to health information, and it can exist in paper, electronic, or oral form.

How does HIPAA define de-identified health information?

De-identified information is not PHI. It must either remove all 18 Safe Harbor identifiers with no actual knowledge of re-identification risk, or undergo Expert Determination showing a very small risk that the data could identify an individual, with methods and results documented.

What actions are required after a PHI breach?

Conduct the four-factor risk assessment, mitigate risks, and provide required notifications without unreasonable delay and no later than 60 days to affected individuals, and when applicable to HHS and the media. Business Associates must notify the Covered Entity and supply details to facilitate timely individual notices.

What penalties exist for HIPAA non-compliance?

OCR can require corrective action and impose tiered civil monetary penalties per violation with annual caps, increasing with the level of culpability. Willful neglect not corrected carries the highest penalties. Certain conduct can trigger criminal penalties, and State Attorneys General may bring civil actions.