Protected Health Information (PHI) Under HIPAA: Definition and Examples

Definition of Protected Health Information

Protected Health Information (PHI) under the HIPAA Privacy Rule is a subset of Individually Identifiable Health Information that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI relates to an individual’s past, present, or future physical or mental health or condition, the provision of healthcare, or payment for healthcare, and it either identifies the individual or there is a reasonable basis to believe it can identify the individual.

Covered entities include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions. Business associates are service providers who create, receive, maintain, or transmit PHI on behalf of a covered entity. PHI applies to any format—electronic, paper, or oral—and the HIPAA Security Rule specifically governs electronic PHI (ePHI) as part of broader Health Information Security obligations.

What makes information “individually identifiable”

Information is identifiable when it can directly or indirectly point to a person. Direct identifiers include names and Social Security numbers. Indirect identifiers include combinations of data—such as dates, geography, and device identifiers—that, together, can single out an individual. HIPAA’s Data De-identification Standards describe how to remove or obfuscate such identifiers.

PHI versus non-PHI health data

Not all health-related data is PHI. To be PHI, the information must be tied to a covered entity or business associate. Consumer wellness data collected by apps or devices outside a HIPAA relationship is typically not PHI, even though other privacy laws may govern it.

Forms and Mediums of PHI

PHI can appear in any medium. You must safeguard PHI consistently across formats because the risk of re-identification and unauthorized disclosure does not depend on the storage medium.

Electronic PHI (ePHI)

• Electronic health records, patient portals, telehealth recordings, e-prescriptions, and clinical images.
• Billing systems, claims files, clearinghouse transactions, and eligibility inquiries.
• Email, secure messaging, mobile apps connected to a provider account, and backups or archives.
• Metadata such as IP addresses and device IDs when captured by a covered entity’s systems.

Paper and physical records

• Printed charts, intake forms, referral letters, and mailed statements.
• Sticky notes, labels, wristbands, appointment sign-in sheets, and faxed documents.
• Microfilm, optical media, external drives, and printed audit logs.

Verbal and visual information

• Conversations with patients or family members about diagnosis, treatment, or payment.
• Voicemail messages and recorded calls that include patient identifiers.
• Whiteboards and bed boards that display names or clinical details viewable by others.

The 18 Identifiers of PHI

Under HIPAA’s Safe Harbor method, PHI is de-identified by removing these 18 identifiers and ensuring no actual knowledge remains that the information could identify an individual:

• Names.
• All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and equivalent geocodes; limited ZIP code exceptions apply).
• All elements of dates (except year) directly related to an individual (e.g., birth, admission, discharge, death) and all ages over 89 (aggregated as “90 or older”).
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plate numbers.
• Device identifiers and serial numbers.
• Web URLs.
• IP address numbers.
• Biometric identifiers (e.g., fingerprints and voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Exclusions from PHI Coverage

HIPAA does not apply to every type of health-related information. Key exclusions include:

• De-identified data that meets Data De-identification Standards via Safe Harbor (removal of all 18 identifiers and no actual knowledge of identifiability) or Expert Determination (a qualified expert deems re-identification risk very small).
• Education records and certain treatment records covered by FERPA that are maintained by schools or universities.
• Employment records held by a covered entity in its role as employer (e.g., occupational health files used solely for HR purposes).
• Health information about a person who has been deceased for more than 50 years.
• Health-related data collected and held exclusively by entities that are not covered entities or business associates (for example, a consumer fitness app operating independently of a provider relationship), though other laws may still apply.

Important distinctions

• A limited data set is not de-identified; it is still PHI but may be used or disclosed for research, public health, or healthcare operations under a data use agreement.
• Aggregation alone does not guarantee de-identification if small cell sizes or unique combinations can identify individuals.

Compliance Requirements for Covered Entities

Covered Entity Obligations span the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. You must formalize policies, train your workforce, manage vendors through Business Associate Agreements, and continuously assess risk.

Privacy Rule fundamentals

• Use and disclosure: limit PHI uses/disclosures to permitted or required purposes; apply the minimum necessary standard.
• Individual rights: provide timely access, amendment, and an accounting of certain disclosures; issue and honor a clear Notice of Privacy Practices.
• Governance: designate a privacy official, adopt sanctions for violations, and document policies and procedures.

Security Rule essentials for ePHI

• Risk analysis and risk management: conduct periodic assessments and implement controls proportionate to risk.
• Administrative safeguards: workforce training, information access management, contingency planning, and evaluation.
• Physical safeguards: facility access controls, workstation security, and device/media controls (including secure disposal).
• Technical safeguards: unique user IDs, role-based access, multi-factor authentication, audit controls, integrity protections, and encrypted transmission.

Business Associate Agreements (BAAs)

• Execute BAAs with vendors that create, receive, maintain, or transmit PHI on your behalf.
• Specify permitted uses/disclosures, require appropriate safeguards, mandate breach reporting, and flow obligations to subcontractors.

Breach notification and documentation

• Assess incidents to determine whether PHI was compromised and notify affected parties within required timeframes.
• Maintain documentation (including policies, risk analyses, and training records) for at least six years from the date of creation or last effective date.
• Perform ongoing Privacy Compliance Audits and security evaluations to verify control effectiveness and readiness.

Safeguarding and Handling PHI

Effective Health Information Security blends administrative discipline, robust technology, and physical protections. Your goal is to reduce risk, prove due diligence, and enable safe, compliant care delivery.

Administrative best practices

• Apply the minimum necessary standard and least-privilege access by role.
• Provide initial and refresher training; document attendance and comprehension.
• Vet vendors, maintain an up-to-date inventory of BAAs, and review subcontractor flow-downs.
• Establish incident response, sanctions, and contingency plans with testing and tabletop exercises.

Technical safeguards in practice

• Encrypt ePHI in transit and at rest; enable full-disk encryption on laptops and mobile devices.
• Use MFA, strong passwords, device management, timely patching, and endpoint detection and response.
• Implement network segmentation, secure remote access, email security (TLS, DLP), and logging with regular audit review.
• Control data retention and secure backups; monitor for anomalous access and exfiltration.

Physical protections

• Restrict facility access; secure server rooms and records storage.
• Use privacy screens, badge access, visitor logs, and clean-desk practices.
• Shred or securely destroy paper and media; sanitize or destroy retired devices.

Handling scenarios

• Email and messaging: verify recipients, avoid identifiers in subject lines, and use secure portals for sensitive content.
• Telehealth: conduct sessions in private spaces, configure platforms securely, and ensure BAAs with telehealth vendors.
• Remote work: require VPNs, managed devices, screen locks, and prohibition of PHI storage on personal devices.
• Research and analytics: prefer limited data sets with data use agreements or de-identified data under recognized standards.

Examples of Protected Health Information

• A clinic note that includes a patient’s name, date of birth, and diagnosis.
• Lab results linked to a medical record number or account number.
• An appointment reminder email that includes the patient’s name and the procedure type.
• Telehealth video files or chat logs tied to a patient portal account.
• Insurance claims containing subscriber IDs, dates of service, and provider details.
• Radiology images labeled with full-face photos or embedded device serial numbers linked to a patient.
• Portal access logs that store IP addresses associated with specific patients.
• Vehicle license plate numbers documented in an incident report within the medical record.
• Biometric voiceprints used to authenticate a patient when calling the clinic.

Conclusion

Protected Health Information (PHI) under HIPAA is any Individually Identifiable Health Information held by covered entities or business associates in any form. Knowing the 18 identifiers, the key exclusions, and your Covered Entity Obligations—spanning the HIPAA Privacy Rule, Security Rule, BAAs, and ongoing Privacy Compliance Audits—helps you protect patient trust while enabling data-driven care. Build safeguards into daily workflows, verify vendors, and minimize data exposure by default.

FAQs

What information qualifies as protected health information under HIPAA?

PHI is Individually Identifiable Health Information related to a person’s health status, care, or payment that is created, received, maintained, or transmitted by a covered entity or business associate. It identifies the individual or could reasonably be used to identify them, and it exists in any medium—electronic, paper, or oral.

How do covered entities handle PHI securely?

Covered entities implement administrative, physical, and technical safeguards; apply minimum necessary access; train the workforce; encrypt ePHI; monitor and audit systems; manage vendors through Business Associate Agreements; and conduct regular risk assessments and Privacy Compliance Audits to verify control effectiveness and readiness.

What are the exceptions to PHI under HIPAA?

De-identified data that meets HIPAA’s Data De-identification Standards, education records and certain treatment records under FERPA, employment records held in the employer role, information about individuals deceased for more than 50 years, and health data held solely by non-HIPAA entities are not PHI under HIPAA. A limited data set remains PHI but can be used or disclosed under a data use agreement.

How does HIPAA define business associates in relation to PHI?

A business associate is a person or organization that performs functions or services for a covered entity involving the creation, receipt, maintenance, or transmission of PHI. Business associates must implement safeguards, report incidents, and sign Business Associate Agreements that set permitted uses, required protections, and subcontractor obligations.