Protected Health Information (PHI) Definition: What It Means and What Counts Under HIPAA

Overview of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information that relates to a person’s past, present, or future physical or mental health or condition, the provision of health care, or payment for care. PHI identifies the individual, or there is a reasonable basis to believe it can be used to identify the individual, and it is created, received, maintained, or transmitted by a covered entity or its business associates.

PHI can exist in any medium—paper, verbal, or digital. When PHI is stored or transmitted electronically, it is called Electronic Protected Health Information (ePHI). The HIPAA Privacy Rule sets the standards for how PHI may be used and disclosed, while the HIPAA Security Rule sets expectations for safeguarding ePHI.

PHI, ePHI, and de‑identified data

• PHI: Individually Identifiable Health Information held or used by covered entities or business associates.
• ePHI: PHI in electronic form (EHRs, patient portals, emailed claims, cloud backups).
• De‑identified data: Information stripped of identifiers so the person cannot be identified; once properly de‑identified, it is no longer PHI.

Types of Information Included in PHI

Common data elements that constitute PHI

• Demographics linked to health context (name with a diagnosis or treatment record).
• Clinical content: diagnoses, medications, lab results, imaging, care plans, progress notes.
• Claims and billing records: EOBs, insurance numbers, prior authorizations, payment histories.
• Care delivery data: appointment schedules, referrals, discharge summaries, telehealth recordings.
• Device and app data when a covered entity or business associate creates, receives, or maintains it (remote monitoring feeds, patient portal messages).

What is not PHI

• Properly de‑identified information (via Safe Harbor or expert determination).
• Limited Data Sets used under a data use agreement (with most direct identifiers removed).
• Education records covered by FERPA and employment records held by a covered entity in its role as employer.
• Information about individuals deceased for more than 50 years.
• Data a consumer keeps or shares directly with a non‑covered app that is not acting on behalf of a covered entity (may be protected by other laws, but not HIPAA).

De‑identification Safe Harbor: 18 identifiers to remove

• Names.
• Geographic subdivisions smaller than a state (except certain 3‑digit ZIP rules).
• All elements of dates (except year) directly related to an individual; ages over 89 must be aggregated as 90+.
• Telephone and fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (fingerprints, voiceprints).
• Full‑face photos and comparable images.
• Any other unique identifying number, characteristic, or code.

HIPAA Privacy Rule Compliance

The HIPAA Privacy Rule governs when and how PHI may be used and disclosed. To comply, you must define permissible uses, obtain authorizations when required, and apply the minimum necessary principle for most non‑treatment uses and disclosures.

Core principles

• Minimum Necessary: Limit PHI to what is reasonably needed for the purpose (does not apply to disclosures for treatment).
• Authorization: Obtain written authorization for uses beyond treatment, payment, and health care operations (e.g., most marketing or sale of PHI).
• Notice of Privacy Practices: Provide clear notice describing uses/disclosures, rights, and how to exercise them.

Operational requirements

• Appoint a privacy official; implement policies, procedures, and workforce training.
• Execute business associate agreements (BAAs) with vendors that handle PHI.
• Maintain records and respond to complaints; apply sanctions for non‑compliance.
• Use de‑identification or limited data sets when full PHI is unnecessary.

Access and portability

Ensure timely individual access to records to support health information portability. You may provide electronic copies in the format requested if readily producible and transmit records to a third party at the patient’s direction.

Covered Entities and Business Associates

Covered Entities include health plans, health care clearinghouses, and health care providers who transmit health information in standard electronic transactions. Business Associates are persons or organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity (or another business associate) for regulated functions.

Examples

• Covered Entities: hospitals, physician practices, pharmacies, dental clinics, insurers, HMOs.
• Business Associates: EHR and cloud vendors, billing services, transcriptionists, data analytics firms, secure messaging providers, shredding/storage vendors.

Contracts and scope

• Business Associate Agreements must require safeguards, permitted uses, breach reporting, and downstream obligations for subcontractors.
• Hybrid entities must designate their health care component to confine HIPAA obligations appropriately.

Uses and Disclosures of PHI

Permitted without authorization

• Treatment, payment, and health care operations (quality improvement, auditing, credentialing).
• Public interest and benefit activities: required by law, public health reporting, health oversight, judicial/administrative proceedings, law enforcement, organ donation, workers’ compensation, to avert serious threats, specialized government functions.
• Research under an IRB/privacy board waiver, or with a limited data set and data use agreement.
• Disclosures to the individual and for HHS compliance investigations.

Authorization required

• Most marketing communications, sale of PHI, and use/disclosure of psychotherapy notes.
• Other disclosures not otherwise permitted by the Privacy Rule. Authorizations must be specific and revocable.

Other considerations

• Incidental disclosures may occur despite safeguards and are not violations when reasonable protections exist.
• The minimum necessary standard applies to most uses/disclosures except treatment and certain mandated reports.

Safeguarding and Security Measures

You must protect PHI with reasonable and appropriate administrative, physical, and technical safeguards. For ePHI, the Security Rule emphasizes risk‑based controls that scale to your size and complexity.

Administrative safeguards

• Enterprise risk analysis and risk management plan.
• Policies, procedures, and workforce training; sanctions for violations.
• Contingency planning: backups, disaster recovery, emergency operations.
• Vendor management and BAAs; routine security evaluations.

Physical safeguards

• Facility access controls and visitor management.
• Workstation security, device encryption, and secure disposal/media re‑use procedures.
• Environmental controls for server rooms and locked storage for paper PHI.

Technical safeguards

• Access controls: unique user IDs, strong authentication, role‑based access, automatic logoff.
• Audit controls: activity logging, monitoring, and regular review.
• Integrity and transmission security: hashing, checksums, secure protocols (TLS/VPN), encryption at rest and in transit.

Data Breach Notification

• Impermissible uses/disclosures are presumed breaches unless a documented risk assessment shows a low probability of compromise.
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• Notify HHS; if a breach affects 500 or more residents of a state or jurisdiction, notify prominent media as well.
• Encryption provides strong protection; if PHI is encrypted to recognized standards, breach notification may not be required.

Patient Rights and PHI

Individuals have robust rights under the HIPAA Privacy Rule that you must operationalize through policies, procedures, and staff training.

Key rights

• Access: Obtain copies of PHI (including ePHI) generally within 30 days, with one permissible 30‑day extension.
• Amendment: Request corrections to inaccurate or incomplete PHI.
• Accounting of disclosures: Receive a record of certain disclosures for the previous six years (excluding most TPO activities).
• Restrictions: Request limits on uses/disclosures; you must honor a request to restrict disclosures to a health plan when the individual pays in full out‑of‑pocket for the item or service.
• Confidential communications: Request alternative means or locations for communications.
• Notice and complaints: Receive a Notice of Privacy Practices and file complaints without retaliation.

Conclusion

PHI encompasses Individually Identifiable Health Information managed by Covered Entities and their Business Associates, whether on paper, spoken, or electronic (ePHI). By following the HIPAA Privacy Rule’s use/disclosure standards, enforcing minimum necessary, securing data with layered safeguards, and honoring patient rights, you reduce risk, support health information portability, and maintain trust.

FAQs.

What is considered protected health information under HIPAA?

PHI is Individually Identifiable Health Information related to a person’s health, care, or payment for care that is created, received, maintained, or transmitted by a covered entity or business associate in any form. If the information can identify the person—alone or in combination with other data—and is held within the HIPAA ecosystem, it is PHI.

How do covered entities handle PHI?

Covered entities limit PHI to the minimum necessary, use it for treatment, payment, and health care operations, obtain authorizations when required, provide a Notice of Privacy Practices, execute BAAs with vendors, train staff, and implement administrative, physical, and technical safeguards. They also investigate incidents and follow Data Breach Notification requirements when applicable.

What are the patient rights regarding PHI?

Patients can access and receive copies of their records (including ePHI), request amendments, obtain an accounting of certain disclosures, ask for restrictions, request confidential communications, receive a privacy notice, and file complaints. If they pay in full out‑of‑pocket, they can require a restriction on disclosure to a health plan for that service.

How is PHI protected against unauthorized access?

Organizations protect PHI through layered safeguards: role‑based access, authentication, encryption, secure transmission, logging and monitoring, physical security of facilities and devices, workforce training, vendor oversight, contingency planning, and routine risk analysis with corrective actions. These controls work together to prevent, detect, and respond to threats while supporting compliant operations.