PHI Examples: What Counts as Protected Health Information Under HIPAA

Knowing exactly what counts as Protected Health Information helps you handle health data correctly and avoid costly mistakes. This guide clarifies the HIPAA Privacy Rule definition, shows common PHI examples, explains key exclusions (including FERPA Exclusions), and outlines how HIPAA’s De-identification Standards work in practice.

Definition of Protected Health Information

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is a subset of Individually Identifiable Health Information created, received, maintained, or transmitted by Covered Entities (health plans, healthcare providers that conduct standard transactions, and healthcare clearinghouses) or their business associates. PHI relates to:

• Past, present, or future physical or mental health or condition of an individual,
• Provision of healthcare to an individual, or
• Payment for the provision of healthcare to an individual.

Information qualifies as PHI when it both concerns health, care, or payment and identifies the person (or could reasonably be used to identify them). PHI can exist in any medium—paper, oral, or electronic (ePHI).

The three-part test

• It is health, care, or payment information,
• It is Individually Identifiable Health Information (directly or indirectly identifiable), and
• It is held or transmitted by a Covered Entity or its business associate.

Common Examples of PHI

Any health-related content paired with identifiers is PHI. HIPAA’s Safe Harbor list names 18 identifiers that, when present with health information, make it PHI:

• Names
• Geographic subdivisions smaller than a state (e.g., street address, city, ZIP code; limited exceptions apply)
• All elements of dates (except year) directly related to an individual (e.g., birth, admission, discharge, death) and ages 90+
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health Plan Beneficiary Numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric Identifiers (e.g., fingerprints, voiceprints)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code

Everyday PHI scenarios

• Lab results, imaging reports, or visit notes with a patient’s name or medical record number.
• Insurance claim forms showing diagnoses and Health Plan Beneficiary Numbers.
• Appointment reminders containing a patient’s name and provider information.
• Prescription labels with patient identifiers and medication details.

Exclusions from PHI

Not all health-related information is PHI. Important exclusions include:

• De-identified data that satisfies HIPAA De-identification Standards (Safe Harbor or Expert Determination).
• FERPA Exclusions: education records and eligible student treatment records protected by the Family Educational Rights and Privacy Act.
• Employment records held by a Covered Entity in its role as employer (e.g., HR files, leave requests), even if they include health information.
• Information about a person deceased for more than 50 years.
• Health information collected or held solely by non-covered consumer apps or devices (no Covered Entity or business associate involved), though other laws may still apply.

De-identified Health Information

De-identified information is not PHI because it is no longer Individually Identifiable Health Information. HIPAA recognizes two methods:

Safe Harbor method

• Remove all 18 identifiers for the individual and for relatives, employers, or household members.
• Ensure you have no actual knowledge that remaining data can identify the person.

Expert Determination method

• A qualified expert applies accepted principles and documents that the risk of re-identification is very small.

Related concepts

• Limited Data Set: certain identifiers (e.g., dates, some geography) may remain for research/operations/public health under a Data Use Agreement. A Limited Data Set is still PHI and requires safeguards.
• Re-identification codes must not be derived from personal information and may not be used to identify individuals outside permitted purposes.

Non-PHI Examples in Practice

• Aggregate hospital readmission rates released after proper de-identification under the De-identification Standards.
• Step counts stored in a standalone consumer fitness app with no Covered Entity involved.
• A medical device serial number by itself at a manufacturer that does not include any person’s health information (becomes PHI if tied to a named patient’s therapy record at a Covered Entity).
• Information an individual posts about their own health on social media (not created or received by a Covered Entity or business associate).
• A public directory listing a clinician’s office address and phone number (business information, not a patient record).

PHI in Healthcare Settings

Clinical care

• Electronic health records, progress notes, vital signs, and diagnostic images labeled with patient identifiers.
• Care team whiteboards or wristbands that display names and bed numbers when needed for treatment.

Operations and billing

• Claims, remittance advices, authorizations, and utilization review files with diagnoses and member IDs.
• Quality improvement datasets containing dates and medical record numbers (apply the minimum necessary standard).

Communications

• Patient portal messages, discharge instructions, and callback notes that include identifiers.
• Appointment reminders or refill notices that reveal minimal necessary PHI.

Employment and Education Records

Employment health information kept by an employer—such as FMLA certifications, drug test results, or pre-employment physicals stored in HR—falls outside HIPAA’s PHI definition. However, the same exam results kept by the clinician in the clinic’s medical record remain PHI at the provider.

Education records and certain student treatment records controlled by schools are protected under FERPA, not HIPAA. University health centers sometimes operate as Covered Entities; in that case, clinic records may be PHI, while student education records elsewhere at the institution remain under FERPA. Understanding this boundary is essential to apply FERPA Exclusions correctly.

Summary

• PHI combines health-related content with identifiers and is handled by Covered Entities or their business associates.
• De-identified data (via Safe Harbor or Expert Determination) is not PHI; Limited Data Sets are still PHI.
• Key exclusions include FERPA-protected records, employment records held by employers, and data about individuals deceased for more than 50 years.

FAQs.

What information qualifies as PHI under HIPAA?

Information qualifies as PHI when it relates to health, care, or payment; identifies a person (directly or indirectly); and is created, received, maintained, or transmitted by a Covered Entity or its business associate. Examples include medical record numbers, Health Plan Beneficiary Numbers, Biometric Identifiers, and any clinical details linked to a patient.

What types of health information are excluded from PHI?

De-identified datasets that meet HIPAA’s De-identification Standards, FERPA-protected education and eligible student treatment records, employment records held by an employer, and information about individuals deceased for more than 50 years are excluded. Health data held solely by non-covered consumer apps can also fall outside HIPAA.

How does de-identified information differ from PHI?

De-identified information has been processed so individuals cannot reasonably be identified. Under Safe Harbor, all 18 identifiers are removed and there is no actual knowledge of identifiability; under Expert Determination, a qualified expert documents a very small re-identification risk. Because it is no longer Individually Identifiable Health Information, it is not PHI.

Are employment health records considered PHI?

No, employment health records maintained by an employer—such as workers’ compensation files, fitness-for-duty exams stored in HR, or disability paperwork—are not PHI. However, copies of the same records kept by a healthcare provider in the medical chart are PHI at that provider.