PHI Checklist: Data Elements the HIPAA Privacy Rule Protects

Use this PHI checklist to determine what the HIPAA Privacy Rule protects, what falls outside its scope, and the compliant ways you can use, disclose, or transform data. You will find plain-language definitions, the full set of identifiers, key exclusions, and practical pathways for de-identification, limited data sets, and research. Throughout, references to Individually Identifiable Health Information, HIPAA Authorization, Data De-Identification Standards, Limited Data Set Agreement, Covered Entity Obligations, Business Associate Agreements, and Protected Health Information Disclosures are woven in to help you act confidently.

Definition of Protected Health Information

Protected Health Information (PHI) is Individually Identifiable Health Information (IIHI) that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care, or payment for care—and that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI can exist in any form or medium: electronic, paper, or oral.

Information becomes “individually identifiable” when it contains a direct identifier or when it could reasonably identify the person when combined with other data. Once PHI is in scope, Covered Entity Obligations apply, including safeguards, the minimum necessary standard, patient rights, and accountable tracking of certain Protected Health Information Disclosures.

The 18 Identifiers Constituting PHI

Checklist of direct identifiers

1. Names.
2. Geographic subdivisions smaller than a state (street address, city, county, precinct, full ZIP code); the first three ZIP digits may be kept only if the combined area has more than 20,000 people.
3. All elements of dates (except year) related to an individual, including birth, admission, discharge, death; ages over 89 must be aggregated to “age 90 or older.”
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers (e.g., fingerprints, voiceprints).
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code (unless it is a non-derived re-identification code held separately).

If all 18 identifiers are removed and you have no actual knowledge that the remaining data could identify someone, the dataset can meet the Safe Harbor pathway under the HIPAA Data De-Identification Standards.

Exclusions from Protected Health Information

Not all health-related data is PHI. Key exclusions include:

• De-identified information that meets HIPAA’s Data De-Identification Standards (Safe Harbor or Expert Determination).
• Education records and treatment records covered by FERPA.
• Employment records held by a covered entity in its role as employer (e.g., workplace injury logs maintained as HR files).
• Information about an individual deceased for more than 50 years.
• Consumer health data collected by organizations that are not covered entities or business associates (e.g., many wellness apps), which is not PHI under HIPAA though other laws may apply.

Note that a Limited Data Set is still PHI; it cannot include direct identifiers but remains subject to privacy safeguards and a Limited Data Set Agreement.

De-Identification of PHI

Safe Harbor method

Remove all 18 identifiers listed above and retain no actual knowledge that the remaining data could identify an individual. When satisfied, the resulting dataset is no longer PHI and falls outside HIPAA for use and disclosure.

Expert Determination method

A qualified expert applies accepted statistical or scientific principles to determine and document that the risk of re-identification is very small, given the anticipated data recipients, context, and controls. Documentation of methods and results should be retained as part of your Data De-Identification Standards.

Re-identification codes

You may assign a code to permit re-linkage if the code is not derived from personal information and the key is kept separately with safeguards. If a code can be translated back to identity using readily available information, the data remains PHI.

Limited Data Set and Its Uses

A Limited Data Set (LDS) excludes all direct identifiers but may include certain fields such as city, state, ZIP code, dates (birth, death, admission, discharge, service), and ages. An LDS can be used or disclosed only for research, public health, or health care operations.

Before sharing an LDS, you must execute a Limited Data Set Agreement (often called a Data Use Agreement). It must specify permitted uses and disclosures, identify who may receive the data, require safeguards, prohibit re-identification and contact, bind subcontractors to the same terms, and require reporting of any violations. Because an LDS remains PHI, the minimum necessary standard and other privacy safeguards still apply.

Covered Entities and Business Associates

Who is covered

• Covered entities: health plans, health care clearinghouses, and health care providers who transmit health information electronically in standard transactions.
• Business associates: vendors or partners who create, receive, maintain, or transmit PHI on behalf of a covered entity (or another business associate), such as EHR and cloud providers, billing firms, analytics vendors, consultants, and certain law firms.

Core obligations

• Covered Entity Obligations include privacy and security safeguards, workforce training, minimum necessary, patient rights (access, amendment), and appropriate accounting for certain Protected Health Information Disclosures.
• Business associates must implement safeguards and sign Business Associate Agreements that define permitted uses/disclosures, require breach reporting, and flow down obligations to subcontractors.

Whether you are a covered entity or a business associate, verify requestor authority, limit uses and disclosures to what policy and law permit, and document decisions for audit readiness.

PHI Compliance in Research

Lawful pathways to use PHI

• HIPAA Authorization from each participant that specifically describes the PHI, purpose, recipients, expiration, and rights (including the right to revoke).
• IRB or Privacy Board waiver/alteration when research poses minimal privacy risk, includes adequate safeguards and destruction plans, and is impracticable without the waiver and the PHI.
• Use of a Limited Data Set under a Limited Data Set Agreement for research, public health, or operations.
• Use of de-identified data (outside HIPAA), or PHI solely about decedents with required representations, or PHI for activities preparatory to research (e.g., feasibility reviews) without removing it from the covered entity.

Practical controls

• Apply minimum necessary for research teams accessing PHI under a waiver or LDS.
• Track disclosures where required and ensure downstream recipients honor restrictions.
• Segment identifiers, employ role-based access, and maintain clear data retention and destruction schedules.

Summary

Define PHI precisely, remove or control identifiers appropriately, and choose the correct legal pathway—Authorization, waiver, Limited Data Set, or de-identification. Align your workflows, contracts, and safeguards so every use, disclosure, and dataset is defensible under the HIPAA Privacy Rule.

FAQs.

What information does HIPAA consider protected health information?

PHI is Individually Identifiable Health Information related to health status, care, or payment that is created, received, maintained, or transmitted by a covered entity or business associate. If the information includes any of the 18 identifiers or could reasonably identify the person, it is PHI and subject to HIPAA’s rules for use, safeguards, and Protected Health Information Disclosures.

How is PHI de-identified under the HIPAA Privacy Rule?

There are two options. Under Safe Harbor, you remove all 18 identifiers and have no actual knowledge that the remaining data could identify someone. Under Expert Determination, a qualified expert documents that the re-identification risk is very small using recognized methods. Properly de-identified data is no longer PHI.

Who are covered entities under HIPAA?

Covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in standard transactions. Vendors handling PHI for them are business associates and must sign Business Associate Agreements and meet similar safeguard obligations.

What are the key exclusions from PHI?

Exclusions include data de-identified under HIPAA, education records and treatment records under FERPA, employment records held by a covered entity in its role as employer, information on individuals deceased for more than 50 years, and health data collected by non-covered entities (such as many consumer apps), which is not PHI though other laws may still apply.