Protected Health Information Includes All of the Following—Except: What Doesn’t Count as PHI Under HIPAA

Definitions of Protected Health Information

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is individually identifiable health information—sometimes called protected health data—that relates to a person’s past, present, or future physical or mental health, the provision of care, or payment for care. It is protected when created or received by a covered entity (such as a healthcare provider, health plan, or clearinghouse) or a business associate that handles information for those entities.

PHI can exist in any medium: paper files, spoken words, images, or electronic records. If the data can identify a person—or there is a reasonable basis to believe it could—it falls under HIPAA’s health information privacy protections. Context matters: who holds the information and for what purpose often determines whether it counts as PHI.

Exclusions from PHI Under HIPAA

Despite its broad scope, HIPAA does not protect every piece of health-related information. Key exclusions include education records governed by FERPA regulations, employment records kept by an employer in its role as employer, de-identified data that meet HIPAA’s de-identification standards, and information about a person who has been deceased for more than 50 years. These categories are outside HIPAA even if they reference health conditions.

Contextual exclusions also apply. Health details you store for your personal use, consumer-app data held by companies that are not acting on behalf of a covered entity, or information maintained solely for non-covered functions (for example, life insurance underwriting) generally are not PHI. When in doubt, ask two questions: Was the information created or received by a covered entity or its business associate, and is an individual identifiable? If either answer is “no,” HIPAA may not apply.

Education Records and FERPA

Education records maintained by a school or district are protected by FERPA regulations, not HIPAA. That includes most health and immunization records kept by a school nurse for K–12 students; because FERPA applies, HIPAA steps back and these records are not PHI. Likewise, at colleges and universities, student treatment records maintained by campus health or counseling services are governed by FERPA (as “treatment records”) and remain outside HIPAA unless they are disclosed for non-treatment purposes, at which point they become FERPA education records—not PHI.

If a student receives care at a provider unaffiliated with the school—such as a community clinic—the resulting records are typically PHI because they are created by a HIPAA-covered provider. The governing regime therefore turns on who maintains the record and under which law, not on the mere presence of health information.

Employment Records versus PHI

Employer health records—such as FMLA certifications, ADA accommodation documents, drug test results, fitness-for-duty exams, and workers’ compensation files—are employment records, not PHI, when kept by the employer in its role as employer. HIPAA does not regulate how employers manage those files (other federal and state laws may apply), even though they describe health conditions.

By contrast, a group health plan is a covered entity. Information the plan holds about enrollees is PHI. To avoid mixing regimes, employers should segregate plan data from general personnel files and limit access to plan PHI to workforce members performing plan administration functions. If an employer learns medical details from its health plan, HIPAA restricts how that information may be used without an authorization.

De-Identified Health Information

Health information that has been de-identified is not PHI. HIPAA recognizes two de-identification standards: (1) Safe Harbor, in which 18 types of direct identifiers (such as names, detailed geographic data, contact numbers, account numbers, full-face photos, and precise dates other than year) are removed and the covered entity has no actual knowledge the remaining data could re-identify the person; and (2) Expert Determination, in which a qualified expert applies statistical or scientific methods to conclude the risk of re-identification is very small.

Note the distinction between de-identified data and a limited data set. A limited data set still contains certain elements (for example, dates and some geography) and remains PHI, but it may be disclosed for research, public health, or healthcare operations under a data use agreement. Fully de-identified data, by contrast, falls outside HIPAA.

Time Limits on PHI Protection

For living individuals, HIPAA’s protections for PHI do not expire; protected health data remains PHI as long as it can identify the person and is held by a covered entity or business associate. This is separate from record retention rules. HIPAA requires keeping privacy-related policies and certain documentation for at least six years, but that administrative requirement does not impose a PHI time limitation.

For decedents, HIPAA draws a clear line: information remains PHI for 50 years after the individual’s death. After that 50-year period, the information is no longer PHI under HIPAA, although other ethical standards or state laws may still guide handling of historical medical materials.

Exceptions for Deceased Individuals

HIPAA allows specific disclosures of a decedent’s PHI before the 50-year mark without an authorization. Covered entities may share relevant information with family members and others involved in the person’s care or payment for care prior to death, disclose to coroners and medical examiners, funeral directors, and organ procurement organizations, and provide information for research solely on decedents when required representations are in place. Law enforcement and public health disclosures may also be permitted under defined circumstances.

After 50 years, the federal HIPAA status changes: the data is no longer PHI. Still, you should apply the minimum necessary principle while the protections apply and check any applicable state rules. Bottom line: understanding what doesn’t count as PHI under HIPAA—especially FERPA-governed school records, employer-held files, properly de-identified data, and records beyond the 50-year postmortem window—helps you handle health information privacy correctly.

FAQs

What types of information are excluded from PHI?

Education records covered by FERPA, employment records kept by an employer in its role as employer, properly de-identified datasets that meet HIPAA’s de-identification standards, and information about individuals deceased for more than 50 years are excluded. Consumer health app data not acting on behalf of a covered entity is also generally outside HIPAA.

How does FERPA affect education records as PHI?

When FERPA applies, education records—including most school-maintained health and immunization records—are governed by FERPA regulations and are not PHI. HIPAA defers to FERPA for these records, so HIPAA’s Privacy Rule does not apply.

Are employer-held health records considered PHI?

No. Employer health records used for employment purposes (such as FMLA, ADA, workers’ compensation, or fitness-for-duty files) are employment records, not PHI. However, PHI held by a group health plan sponsored by the employer is protected and must be kept separate from general personnel files.

When does health information lose PHI status after death?

PHI remains protected for 50 years following an individual’s death. Once that 50-year period passes, the information is no longer PHI under HIPAA, though ethical considerations and state laws may still influence appropriate handling.