Protected Health Information (PHI) Under HIPAA: Definition, Scope, and What Isn’t PHI

Definition of Protected Health Information

Protected Health Information (PHI) under HIPAA is individually identifiable health information (IIHI) that relates to a person’s past, present, or future physical or mental health, the provision of health care, or payment for care. It must be created or received by a covered entity or its business associate and can exist in any medium—electronic (ePHI), paper, or oral.

Demographic data—such as name, address, birth date, or contact details—become PHI when they can identify an individual in connection with health care or payment. Without a health context or a connection to a covered entity or business associate, demographic data alone are not PHI.

Key elements of the definition

• Identifiability: Data directly identify a person or reasonably allow identification.
• Health nexus: Information concerns health status, care delivered, or payment for care.
• Regulatory actors: Data are created, received, maintained, or transmitted by covered entities or business associates.
• Any form: PHI includes ePHI, paper records, images, and spoken information.

Scope of PHI

The scope of PHI spans the full data lifecycle—collection, use, disclosure, storage, and disposal—within covered entities and business associates. It includes records in EHRs, claims systems, patient portals, call recordings, faxes, backup media, and even whiteboards and voicemail when health-linked.

Use and disclosure are governed by HIPAA’s “minimum necessary” standard, requiring you to limit PHI access to what is needed for the task. De-identification removes PHI from HIPAA’s scope; a limited data set remains PHI but may be disclosed under a data use agreement.

Edge cases that affect the scope

• Consumer apps: Health data in apps not acting for a covered entity may fall outside HIPAA but still raise healthcare data privacy concerns.
• Research: Data created solely for research by non-covered entities may not be PHI; research conducted for a covered entity or with a business associate agreement brings HIPAA into play.
• Incidental disclosures: Minor, unavoidable disclosures (e.g., overheard names) are permitted if reasonable safeguards are in place.
• Hybrid entities: Organizations can designate covered components; PHI is confined to those components.

Examples of PHI Data Types

These examples illustrate common PHI categories; context determines whether the data are PHI. When tied to health care or payment and held by a covered entity or business associate, the following become PHI:

• Demographic data: name, postal address, email, phone, and precise geographic details linked to care.
• Unique numbers: Social Security number, medical record number, account numbers, certificate/license numbers.
• Dates related to care: admission, discharge, procedure dates, birthdates when identifying.
• Device and network identifiers: device IDs, serial numbers, IP addresses, and URLs documented in care or payment workflows.
• Biometric identifiers: fingerprints, voiceprints, retinal/iris scans.
• Images and media: full-face photos, identifiable imaging, and video tied to treatment.
• Clinical content: diagnoses, lab results, medications, care plans, provider notes.
• Financial and insurance: claims, eligibility, payment information, explanations of benefits.
• Communications: appointment reminders, portal messages, and recorded calls that reference care.

Context matters: a phone number in a patient chart is PHI; the same number in a public directory, without a health connection, is not.

Entities Covered by HIPAA

Covered entities are the organizations directly regulated by HIPAA. Business associates are service providers that create, receive, maintain, or transmit PHI on their behalf. Both must meet HIPAA compliance obligations appropriate to their roles.

Covered entities include

• Health care providers that conduct standard electronic transactions (e.g., hospitals, clinics, physicians, dentists, chiropractors, pharmacies).
• Health plans (e.g., employer group health plans, individual and small-group plans, Medicare, Medicaid, Medicare Advantage, certain government programs).
• Health care clearinghouses that process nonstandard health information into standard formats.

Business associates commonly include

• IT and cloud vendors, EHR providers, billing and coding firms, claims processors, transcription services.
• Data analytics, telehealth platforms, secure messaging, backup and disaster recovery providers.
• Consultants, law firms, and auditors handling PHI for a covered entity.

Subcontractors of business associates that handle PHI are also business associates. Hybrid entities can limit HIPAA’s reach to designated health components, provided they maintain safeguards at the boundary.

Exclusions from PHI

Understanding what isn’t PHI is as important as knowing what is. The following categories are outside HIPAA’s PHI definition:

• De-identified information: Data stripped of identifiers under Safe Harbor or certified via Expert Determination.
• FERPA exemptions: Education records and eligible student treatment records protected by FERPA, not HIPAA.
• Employment records: Information a covered entity holds in its role as employer (e.g., HR files, FMLA forms), even if health-related.
• Information about individuals deceased for 50 years or more.
• Data held by non-covered consumer apps or devices when not acting for a covered entity or business associate.
• Aggregate statistics that cannot identify an individual.

A limited data set is not an exclusion; it remains PHI but may be disclosed for research, public health, or operations under a data use agreement with specified safeguards.

Compliance Requirements

HIPAA compliance rests on three pillars: the Privacy Rule, the Security Rule, and the Breach Notification Rule. Your program should embed administrative, physical, and technical safeguards and document how you use, disclose, and protect PHI.

Privacy Rule essentials

• Apply the minimum necessary standard and role-based access to PHI.
• Provide a Notice of Privacy Practices and honor rights to access, amendments, and an accounting of disclosures.
• Obtain valid authorizations for uses and disclosures beyond treatment, payment, and operations.

Security Rule safeguards for ePHI

• Administrative: risk analysis and risk management, assigned security responsibility, workforce training, and sanctions.
• Physical: facility access controls, device and media controls, secure workstations, proper disposal.
• Technical: access controls, unique IDs, multi-factor authentication, audit logging, integrity controls, and transmission security (encryption in transit).

Breach Notification and incident response

• Maintain procedures to detect, investigate, and risk-assess incidents involving PHI.
• Notify affected individuals, HHS, and sometimes the media without unreasonable delay if a breach occurs.

Business associate management

• Execute business associate agreements that define permitted uses/disclosures and required safeguards.
• Extend obligations to subcontractors that handle PHI.

Governance and documentation

• Designate privacy and security officers; review policies at least annually.
• Retain required documentation for at least six years and conduct periodic audits.

Protecting PHI in Practice

Practical controls turn policy into protection. The following steps help you operationalize healthcare data privacy and HIPAA compliance every day.

Data lifecycle and access

• Inventory systems that store or transmit PHI and classify data by sensitivity.
• Implement role-based access controls and enforce the minimum necessary standard.
• Use data loss prevention and tokenization or pseudonymization where appropriate.

Technology safeguards

• Encrypt ePHI at rest and in transit; enable TLS for email and portals.
• Adopt multi-factor authentication, strong passwords, and session timeouts.
• Harden endpoints and mobile devices with MDM, patching, and remote wipe; restrict removable media.
• Centralize logging, monitor for anomalies, and regularly test backups and recovery.

Workforce and third parties

• Provide role-specific training and phishing simulations; document sanctions for violations.
• Conduct vendor due diligence, execute BAAs, and monitor subcontractors that handle PHI.
• Establish secure messaging and telehealth practices; prohibit unapproved texting of PHI.

Conclusion

PHI under HIPAA is individually identifiable health information connected to care or payment and held by covered entities or business associates. Knowing the scope, common examples, and clear exclusions—especially de-identified data, employment records, and FERPA exemptions—helps you apply the right safeguards. Pair strong governance with practical controls to protect PHI and sustain HIPAA compliance.

FAQs.

What qualifies as Protected Health Information under HIPAA?

PHI is individually identifiable health information about a person’s health status, care, or payment that a covered entity or business associate creates, receives, maintains, or transmits. It includes identifiers plus clinical, administrative, and financial details in any medium when linked to health care.

How does HIPAA define covered entities?

Covered entities are health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses. They are directly regulated by HIPAA and must safeguard PHI; their business associates must do so as well when handling PHI on their behalf.

What types of information are excluded from PHI?

De-identified data, FERPA-protected education and eligible student treatment records, employment records held by an employer, aggregate non-identifiable statistics, data in non-covered consumer apps, and information about individuals deceased for 50 years or more are not PHI. A limited data set remains PHI, subject to a data use agreement.

How is PHI protected under HIPAA?

PHI is protected through Privacy Rule limits on uses and disclosures, Security Rule administrative, physical, and technical safeguards for ePHI, and Breach Notification Rule requirements. Core practices include minimum necessary access, encryption, audit logging, workforce training, incident response, and business associate oversight.